On Thu, 5 Sep 2019, Greg Langford wrote:
My tunnel to my Mikrotik Router establishes without issue, I can send traffic
over the tunnel both directions. However when I try and connect my road warrior
via any
connectivity method be that cellular or wifi. The connection is matching the
first found configuration in Libreswan which is incorrect. The host to host
configuration does
not use xauth, however my Android VPN client does use xauth.
The connection matching should "switch" the the right connection when
more information becomes available. The first packet(s) do not contain
the remote ID yet, so it is not always possible to match the right
connection on the initial packet.
Is there a way to configure a connection e.g the site to site connection to
only specifically serve requests from a certain ID or certificate?
No because the first packet is just the DH key exchange and you will not
have any IDs yet.
Is it possible to use two different server certificates on Libreswan with
different CN's e.g vpn1.domain.com and road-warriors.domain.com to do this?
Yes, and with IKEv2 that is often done for multi-tenant systems because
with IKEv2 the remote client can send what it thinks the ID of the
server is (The IDr payload, AKA the "me Tarzan, you Jane" mechanism)
But note that:
- Windows does not support IDr (big sigh)
- Android does not support IKEv2 (big sigh, but you can install the
strongswan android client for IKEv2)
When using IKEv1 because of android, be sure to use Aggressive Mod
(aggressive=yes) so that the IDs come in more quickly and connection
switching can happen. That usually also means using XAUTH.
We have configuration examples on the libreswan wiki
Paul
I have been trying various configurations but the road warriors are always
matching mikrotik-home not road-warriors.
Thank you in advance for your help.
My two configurations are as follows.
conn mikrotik-home
left=%defaultroute
leftsubnet=10.200.200.1/32
leftsourceip=10.200.200.1
leftcert=<server cert name>
right=%any
rightsubnet=10.200.200.2/32
rightid=@<id sent by mikrotik>
ike=aes128-sha1;modp1024
dpddelay=5
dpdtimeout=15
dpdaction=clear
auto=add
conn road-warriors
left=176.58.106.154
leftcert=<server cert name>
leftsendcert=always
leftsubnet=0.0.0.0/0
rightaddresspool=10.20.30.1-10.20.30.254
right=%any
modecfgdns=8.8.8.8,8.8.4.4
# Versions up to 3.22 used modecfgdns1 and modecfgdns2
#modecfgdns1=193.110.157.123
#modecfgdns2=8.8.8.8
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=alwaysok
ike-frag=yes
# xauthby=pam
# xauthfail=soft
# Can be played with below
# dpddelay=30
# dpdtimeout=120
# dpdaction=clear
#authby=rsasig
pfs=no
auto=add
rekey=no
Kind Regards,
Greg Langford
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
