The pre-shared key solution could definitely be worth a try.
I've been experimenting with using "eap_identity" to coerce the selection
depending on the provided username (see config below). Authenticating as
"user1" connects me to vpn1 and "user2" connects to vpn2.
Works great in macOS but still having issues with Windows 10. The first
authentication attempt always fails and when I retry to connect, the second
authentication is successful. Posting the logs below if they are to any help
ipsec.conf
--------------
conn vpn1
eap_identity=user1
left=%any
leftid=@example.org
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.1/24
conn vpn2
eap_identity=user2
left=%any
leftid=@example.org
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.2/24
syslog (first attempt fails)
---------------------------------
charon: 07[NET] received packet: from 36.170.198.412[46981] to
157.140.164.120[500] (1104 bytes)
charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SAKE No N(FRAG_SUP) N(NATD_S_IP)
N(NATD_D_IP) V V V V ]
charon: 07[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
charon: 07[IKE] received MS-Negotiation DiscoveryCapable vendor ID
charon: 07[IKE] received Vid-Initial-Contact vendor ID
charon: 07[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
charon: 07[IKE] 36.170.198.412 is initiating an IKE_SA
charon: 07[IKE] remote host is behind NAT
charon: 07[ENC] generating IKE_SA_INIT response 0[ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
charon: 07[NET] sending packet: from 157.140.164.120[500] to
36.170.198.412[46981] (320 bytes)
charon: 12[NET] received packet: from 36.170.198.412[47029] to
157.140.164.120[4500] (576 bytes)
charon: 12[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
charon: 12[ENC] received fragment #1 of 2, waiting for complete IKE message
charon: 12[NET] received packet: from 36.170.198.412[47029] to
157.140.164.120[4500] (416 bytes)
charon: 12[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
charon: 12[ENC] received fragment #2 of 2, reassembling fragmented IKE message
charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR
DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
charon: 12[IKE] received 23 cert requests for an unknown ca
charon: 12[CFG] looking for peer configs
matching157.140.164.120[%any]...36.170.198.412[10.0.2.15]
charon: 12[CFG] selected peer config 'vpn2'
charon: 12[IKE] using configured EAP-Identity user2
charon: 12[IKE] initiating EAP_MSCHAPV2 method (id 0xA7)
charon: 12[IKE] peer supports MOBIKE
charon: 12[IKE] authentication of 'example.org' (myself) with RSA signature
successful
charon: 12[IKE] sending end entity cert "CN=example.org"
charon: 12[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=Let's Encrypt
Authority X3"
charon: 12[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH
EAP/REQ/MSCHAPV2 ]
charon: 12[ENC] splitting IKE message with lengthof 3164 bytes into 3 fragments
charon: 12[ENC] generating IKE_AUTH response 1 [ EF(1/3) ]
charon: 12[ENC] generating IKE_AUTH response 1 [ EF(2/3) ]
charon: 12[ENC] generating IKE_AUTH response 1 [ EF(3/3) ]
charon: 12[NET] sending packet: from 157.140.164.120[4500] to
36.170.198.412[47029] (1248 bytes)
charon: 12[NET] sending packet: from 157.140.164.120[4500] to
36.170.198.412[47029] (1248 bytes)
charon: 12[NET] sending packet: from 157.140.164.120[4500] to
36.170.198.412[47029] (800 bytes)
charon: 06[NET] received packet: from 36.170.198.412[47029] to
157.140.164.120[4500] (140 bytes)
charon: 06[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
charon: 06[IKE] EAP-MS-CHAPv2 username: '%any'
charon: 06[IKE] no EAP key found for hosts '%any'- '%any'
charon: 06[IKE] EAP-MS-CHAPv2 verification failed, retry (1)
charon: 14[MGR] ignoring request with ID 2, already processing
charon: 06[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
charon: 06[NET] sending packet: from 157.140.164.120[4500] to
36.170.198.412[47029] (124 bytes)
charon: 09[NET] received packet: from 36.170.198.412[47029] to
157.140.164.120[4500] (140 bytes)
charon: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
charon: 09[IKE] received retransmit of request with ID 2, retransmitting
response
charon: 09[NET] sending packet: from 157.140.164.120[4500] to
36.170.198.412[47029] (124 bytes)
syslog (second attempt succeeds)
---------------------------------------------
charon: 13[NET] received packet: from 36.170.198.412[47029] to
157.140.164.120[4500] (140 bytes)
charon: 13[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
charon: 13[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
charon: 13[NET] sending packet: from 157.140.164.120[4500] to
36.170.198.412[47029] (140 bytes)
charon: 08[NET] received packet: from 36.170.198.412[47029] to
157.140.164.120[4500] (76 bytes)
charon: 08[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
charon: 08[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
charon: 08[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
charon: 08[NET] sending packet: from 157.140.164.120[4500] to
36.170.198.412[47029] (76 bytes)
charon: 11[NET] received packet: from 36.170.198.412[47029] to
157.140.164.120[4500] (92 bytes)
charon: 11[ENC] parsed IKE_AUTH request 5 [ AUTH ]
charon: 11[IKE] authentication of '10.0.2.15' with EAP successful
charon: 11[IKE] authentication of 'example.org' (myself) with EAP
charon: 11[IKE] IKE_SA vpn2[59] established between
157.140.164.120[example.org]...36.170.198.412[10.0.2.15]
charon: 11[IKE] scheduling reauthentication in 9946s
charon: 11[IKE] maximum IKE_SA lifetime 10486s
charon: 11[IKE] peer requested virtual IP %any
charon: 11[CFG] reassigning offline lease to 'user2'
charon: 11[IKE] assigning virtual IP 10.10.10.2 to peer 'user2'
charon: 11[IKE] peer requested virtual IP %any6
charon: 11[IKE] no virtual IP found for %any6 requested by 'user2'
charon: 11[IKE] CHILD_SA vpn2{8} established withSPIs c5c3c57a_i 18e3d53e_o and
TS 0.0.0.0/0 === 10.10.10.2/32
charon: 11[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi
TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
charon: 11[NET] sending packet: from 157.140.164.120[4500] to
36.170.198.412[47029] (252 bytes)
________________________________
From: bls s <bls3...@outlook.com>
Sent: Wednesday, September 26, 2018 20:54
To: Marwan Khalili; Christian Salway
Cc: users@lists.strongswan.org
Subject: Re: [strongSwan] Help! I can't configure Windows 10 to send remote id
(leftid) for IKEv2
Not trying to muddy the waters, but I think it depends on what Auth method
you're using. If you're using cert-based auth with IKEV2 I don't think that
there's any way to send an ID. On the other hand, if you're using IPSEC with a
pre-shared key, I think you can coerce the selection of a different connection.
It would definitely be interesting to get some definitive input and validated
testing on this!
From: Users <users-boun...@lists.strongswan.org> on behalf of Marwan Khalili
<choklad_...@hotmail.com>
Sent: Wednesday, September 26, 2018 5:16 AM
To: Christian Salway
Cc: users@lists.strongswan.org
Subject: Re: [strongSwan] Help! I can't configure Windows 10 to send remote id
(leftid) for IKEv2
I have looked through the options but can not find it. Would be very grateful
if you could describe how to do it when you have time.
I am using the VPN client built-in Windows 10. I have searched for an option
corresponding the "Remote ID" in macOS in the following locations to no avail:
- Settings -> Network & Internet -> VPN
- Control Panel -> Network and Internet -> Network Connections
- rasphone.pbk - %APPDATA%\Microsoft\Network\Connections\Pbk\rasphone.pbk
- PowerShell documentation for Add-VpnConnection and
Set-VpnConnectionIPsecConfiguration
From: Christian Salway <christian.sal...@naimuri.com>
Sent: Wednesday, September 26, 2018 01:29
To: bls s
Cc: Marwan Khalili; users@lists.strongswan.org
Subject: Re: [strongSwan] Help! I can't configure Windows 10 to send remote id
(leftid) for IKEv2
You can set the ID in windows 10 if you go through the options for the
connection you will see it. Not near a computer otherwise I’d get you the
instructions.
On 26 Sep 2018, at 02:30, bls s <bls3...@outlook.com> wrote:
I'm curious about this as well. From my work on pistrong (see elsewhere), it
looks to me like Windows doesn't have a way to send an ID that you can use for
matching. I haven't tried this, but you might be able to make it work by using
a separate "VPN certificate" for the Windows connection that has an altname in
it corresponding to a secondary DNS name for your server. You can then have
Windows connect to the secondary DNS name and, in theory, it would eventually
match that connection.
Again, just a theory, I'm definitely interested in other approaches to solving
this.
From: Users <users-boun...@lists.strongswan.org> on behalf of Marwan Khalili
<choklad_...@hotmail.com>
Sent: Tuesday, September 25, 2018 7:47 AM
To: users@lists.strongswan.org
Subject: [strongSwan] Help! I can't configure Windows 10 to send remote id
(leftid) for IKEv2
Hello,
I have a strongSwan server running with the ipsec.conf pasted below.
The clients are using Windows 10 and macOS and they must be able to choose
connection. I am trying to separate the connections using "leftid" with
different subdomains for each connection (e.g. vpn1.example.org,
vpn2.example.org).
My solution below works in macOS by matching "Remote ID" with the appropriate
"leftid", however I can't get it to work in Windows 10.
I am very grateful to any help or ideas of how I can solve this.
ipsec.conf
--------------
conn %default
auto=add
dpdaction=clear
dpddelay=180s
eap_identity=%any
esp=aes256-sha256,aes256-sha1,3des-sha1!
forceencaps=yes
ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
keyexchange=ikev2
leftcert=cert.pem
leftsendcert=always
rightauth=eap-mschapv2
rightsendcert=never
conn conn1
left=%any
leftid=@vpn1.example.org
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.1/24
conn conn2
left=%any
leftid=@vpn2.khalili.xyz
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.2/24
