[Swan] Using cert DN for connection matching

Jan Koriťák jenda at pudr.com
Fri Jan 28 01:41:19 EET 2022 

Hello,

I was trying to have two different address pools for clients based on info in certificate DN.

I did this by configuring two basically identical connections, just with different rightaddresspool and rightid.

conn ikev2-cp-static
  left=%eth0
  leftcert=vpn.example.net <http://vpn.example.net/>
  leftid=@vpn.example.net
  leftsendcert=always
  leftsubnet=10.0.0.0/8
  leftrsasigkey=%cert
  right=%any
  rightid="CN=static,O=IKEv2 VPN"
  rightaddresspool=192.168.43.10-192.168.43.10
  rightca=%same
  rightrsasigkey=%cert
  narrowing=yes
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  auto=add
  ikev2=insist
  rekey=no
  pfs=no
  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
  ikelifetime=24h
  salifetime=24h
  encapsulation=yes
  mobike=yes

conn ikev2-cp-others
  left=%eth0
  leftcert=vpn.example.net <http://vpn.example.net/>
  leftid=@vpn.example.net
  leftsendcert=always
  leftsubnet=10.0.0.0/8
  leftrsasigkey=%cert
  right=%any
  rightid="CN=vpnclient,O=IKEv2 VPN"
  rightaddresspool=192.168.43.11-192.168.43.250
  rightca=%same
  rightrsasigkey=%cert
  narrowing=yes
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  auto=add
  ikev2=insist
  rekey=no
  pfs=no
  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
  ikelifetime=24h
  salifetime=24h
  encapsulation=yes
  mobike=yes


This however didn't do what I wanted, because no matter which cert I have used on the client, the "ikev2-cp-static" connection was always matched on the server (and subsequently failed on certificate auth in case I used the cert with CN=vpnclient).

Does it mean, only the left/right fields are used to match the connection first, and afterwards the id is just validated, without falling back to another matching connection?

Is there some place I can read more about how exactly the matching works and also which connection takes precedence if more are matching? I was not able to find much info about this.

My end goal was to have one client with static assigned ip (hence the small addresspool), while other clients have dynamic ips. I can't use "right" to distinguish them as they can be behind the same NAT. That's why I tried to use the cert fields. Would anyone have some tip on how else I could accomplish my goal?

Thanks for help!

Regards,
Jan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220128/1d10f334/attachment.htm>

More information about the Swan mailing list