On Thu, 5 Mar 2020, Rian Aldridge wrote:
I'm recently coming to libreswan with configs from strongswan, and whilst I
have almost everything working, I'm running into an
issue where I have two conn sections for inbound connections, but with
different authby= mechanisms.
I cannot find an example on the web of any config files that do this in
libreswan, so please let me know if it's just not
possible!
The connection from the PSK host will attempt ike2 with the first connection
only (certhosts), fails on the phase1 negotiation
and returns NO_PROPOSAL_CHOSEN rather than trying 'pskhost'. If I add the ike
ciphers to it, then phase1 completes but it insists
on a cert authby and returns AUTHENTICATION_FAILED rather than trying the next
conn. In strongswan this config would
automatically select whichever conn it needed to to make the link come up.
Turning off certhosts (auto=ignore) has pskhost pass
phase1 and 2 with PSK, as does changing the order of the conns in the file.
Code for this has recently improved so please do retry with 3.31.
If possible, the remote endpoints should send the IDr payload, and then
we can switch to the right connection, provided you have different IDs
for the conns as your connections below suggest you do.
I need both because I have site2sites on PSK, and roadwarriors on certificates.
Neither remote end is libreswan, nor tweakable.
Any suggestions?
If the site2sites are on static IPs, putting in the IPs would help. But
if those are also configured with right=%any, it is a little harder.
Let me know if 3.31 still has this problem for you?
Paul
The (abbreviated) config is below. Setup for ip ranges etc skipped for brevity
conn common
ikev2=insist
left=%defaultroute
conn certhosts
also=common
ike=aes256-sha2;modp2048
authby=rsasig
leftcert=myX509
[email protected]
right=%any
conn pskhost
also=common
ike=aes128-sha1;modp2048
authby=secret
leftid=1.2.3.4
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
