Thanks Paul, I shall take your advice and give it a go. Much appreciated.
Kind Regards On Thu, 5 Sep 2019 at 22:02, Paul Wouters <[email protected]> wrote: > On Thu, 5 Sep 2019, Greg Langford wrote: > > > My tunnel to my Mikrotik Router establishes without issue, I can send > traffic over the tunnel both directions. However when I try and connect my > road warrior via any > > connectivity method be that cellular or wifi. The connection is matching > the first found configuration in Libreswan which is incorrect. The host to > host configuration does > > not use xauth, however my Android VPN client does use xauth. > > The connection matching should "switch" the the right connection when > more information becomes available. The first packet(s) do not contain > the remote ID yet, so it is not always possible to match the right > connection on the initial packet. > > > Is there a way to configure a connection e.g the site to site connection > to only specifically serve requests from a certain ID or certificate? > > No because the first packet is just the DH key exchange and you will not > have any IDs yet. > > > Is it possible to use two different server certificates on Libreswan > with different CN's e.g vpn1.domain.com and road-warriors.domain.com to > do this? > > Yes, and with IKEv2 that is often done for multi-tenant systems because > with IKEv2 the remote client can send what it thinks the ID of the > server is (The IDr payload, AKA the "me Tarzan, you Jane" mechanism) > > But note that: > - Windows does not support IDr (big sigh) > - Android does not support IKEv2 (big sigh, but you can install the > strongswan android client for IKEv2) > > When using IKEv1 because of android, be sure to use Aggressive Mod > (aggressive=yes) so that the IDs come in more quickly and connection > switching can happen. That usually also means using XAUTH. > > We have configuration examples on the libreswan wiki > > Paul > > > > I have been trying various configurations but the road warriors are > always matching mikrotik-home not road-warriors. > > > > Thank you in advance for your help. > > > > My two configurations are as follows. > > > > conn mikrotik-home > > left=%defaultroute > > leftsubnet=10.200.200.1/32 > > leftsourceip=10.200.200.1 > > leftcert=<server cert name> > > right=%any > > rightsubnet=10.200.200.2/32 > > rightid=@<id sent by mikrotik> > > ike=aes128-sha1;modp1024 > > dpddelay=5 > > dpdtimeout=15 > > dpdaction=clear > > auto=add > > > > conn road-warriors > > left=176.58.106.154 > > leftcert=<server cert name> > > leftsendcert=always > > leftsubnet=0.0.0.0/0 > > rightaddresspool=10.20.30.1-10.20.30.254 > > right=%any > > modecfgdns=8.8.8.8,8.8.4.4 > > # Versions up to 3.22 used modecfgdns1 and modecfgdns2 > > #modecfgdns1=193.110.157.123 > > #modecfgdns2=8.8.8.8 > > leftxauthserver=yes > > rightxauthclient=yes > > leftmodecfgserver=yes > > rightmodecfgclient=yes > > modecfgpull=yes > > xauthby=alwaysok > > ike-frag=yes > > # xauthby=pam > > # xauthfail=soft > > # Can be played with below > > # dpddelay=30 > > # dpdtimeout=120 > > # dpdaction=clear > > #authby=rsasig > > pfs=no > > auto=add > > rekey=no > > > > Kind Regards, > > Greg Langford > > > > >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
