Hello Tobais
We are using VICI (not from configuration files), so I hope were getting
everything.
For this setup are credential directory looks like this
/media/sde1/certs/Org1:
Org1.chain Org1.crt Org1.key Org1.sca1 Org1.ta
/media/sde1/certs/Org2:
Org2.chain Org2.crt Org2.key Org2.sca2 Org2.ta
So we only load the "user cert" using VICI, were letting charon select the
correct key and sca.
Test 1, Org1/Org1.crt (196) and Org2/Org2.crt (211), when using this setup 196
VPN comes up and 211 VPN does not (incorrect SCA selected)
Test 2, Org2/Org2.crt (211), when using this setup 211 VPN does come up
Test 3, Org1/Org1.crt (211) and Org2/Org2.crt (196), when using this setup both
211 VPN and 196 VPN and comes up
I verified the keys are different, the "user certs" and SCA files are the
correct.
The log file indicates the correct "user certs" are used for each tunnel.
? what else should I check
Below is sample code:
/* load connection
* returns: 0 = for ok, else 1
* Note:
*reference doc for swanctl.conf
https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf
*reference doc for ipsec.conf: config setup
https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection
*example config file /etc/swanctl/swanctl.conf
*/
int load_conn(vici_conn_t *conn, struct s_connection_parameters *param)
{
vici_req_t *req;
vici_res_t *res;
int ret = 0;
char buf[128] = { 0 };
int idx;
chunk_t cert;
//load the user cert
load_cert_from_file( param->local_cert, );
if( cert.ptr == NULL )
{
printf("load connection failed : error loading local cert.\n");
return 1;
}
req = vici_begin("load-conn");
vici_begin_section(req,param->conn_name);
//connections..version
vici_add_key_valuef(req,"version","%s",param->ike_version);
//connections..local_addrs
vici_begin_list(req,"local_addrs");
vici_add_list_itemf(req,"%s",param->local_addrs);
vici_end_list(req);
//connections..remote_addrs
vici_begin_list(req,"remote_addrs");
vici_add_list_itemf(req,"%s",param->remote_addrs);
vici_end_list(req);
//connections..local_port
//connections..remote_port
//connections..proposals
create_list_for_proposals( req, "proposals", param->proposals );
//connections..vips
//note: allows the assignment of "virtual IP's" for local_ts and remote_ts
vici_begin_list(req,"vips");
vici_add_list_itemf(req,"%s","0.0.0.0");
vici_end_list(req);
//connections..aggressive
//connections..pull
//connections..encap
//we do not want to use mobike (no searching for other interfaces)
//note: it is enabled by default
//connections..mobike
//vici_add_key_valuef(req,"mobike","%s","no");
vici_add_key_valuef(req,"mobike","%s",param->mobike);
//connections..dpd_delay
//vici_add_key_valuef(req,"dpd_delay","%s","2s");
vici_add_key_valuef(req,"dpd_delay","%s",param->dpd_delay);
//connections..dpd_timeout
//connections..fragmentation
//connections..send_certreq
//connections..send_cert
/* connections..keyingtries
* Number of retransmission sequences to perform during initial connect.
* Instead of giving up initiation after the first retransmission
sequence with the default value of 1,
* additional sequences may be started according to the configured value.
* A value of 0 initiates a new sequence until the connection establishes
or fails with a permanent error.
*/
//vici_add_key_valuef(req,"keyingtries","%s","0");
vici_add_key_valuef(req,"keyingtries","%s",param->keying_tries);
//connections..unique
//connections..reauth_time
vici_add_key_valuef(req,"reauth_time","%s",param->ike_reauth_time);
//connections..rekey_time
vici_add_key_valuef(req,"rekey_time","%s",param->ike_rekey_time);
//connections..over_time
//connections..rand_time
//connections..pools
//Section for a local authentication round ( local, the
is optional )
vici_begin_section(req,"local");
//connections..local.round
//connections..local.certs
vici_begin_list(req,"certs");
vici_add_list_item(req, cert.ptr, cert.len);
chunk_free();
vici_end_list(req);
//connections..local.pubkeys
//connections..local.auth
//vici_add_key_valuef(req,"auth","%s","eap"); //were only using IKEv2
EAP
//vici_add_key_valuef(req,"auth","%s","pubkey");
vici_add_key_valuef(req,"auth","%s",param->left_auth);
//connections..local.id
vici_add_key_valuef(req,"id","%s",param->local_id);
//connections..local.eap_id
if( strlen( param->eap_id ) )
{//eap_id is available
vici_add_key_valuef(req,"eap_id","%s",param->eap_id);
}