I'm recently coming to libreswan with configs from strongswan, and whilst I have almost everything working, I'm running into an issue where I have two conn sections for inbound connections, but with different authby= mechanisms.
I cannot find an example on the web of any config files that do this in libreswan, so please let me know if it's just not possible! The connection from the PSK host will attempt ike2 with the first connection only (certhosts), fails on the phase1 negotiation and returns NO_PROPOSAL_CHOSEN rather than trying 'pskhost'. If I add the ike ciphers to it, then phase1 completes but it insists on a cert authby and returns AUTHENTICATION_FAILED rather than trying the next conn. In strongswan this config would automatically select whichever conn it needed to to make the link come up. Turning off certhosts (auto=ignore) has pskhost pass phase1 and 2 with PSK, as does changing the order of the conns in the file. I need both because I have site2sites on PSK, and roadwarriors on certificates. Neither remote end is libreswan, nor tweakable. Any suggestions? The (abbreviated) config is below. Setup for ip ranges etc skipped for brevity conn common ikev2=insist left=%defaultroute conn certhosts also=common ike=aes256-sha2;modp2048 authby=rsasig leftcert=myX509 [email protected] right=%any conn pskhost also=common ike=aes128-sha1;modp2048 authby=secret leftid=1.2.3.4
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
