[strongSwan] multiple RSA connections

Ali Masoudi masoudi1983 at gmail.com
Tue Oct 9 16:14:35 CEST 2012 

Hi

I supposed to think that strongswan supports multiple private keys for
multiple connections, for example in RSA connections. But when I start
ipsec with config file that mentioned below. The configs at other ends
are like this config. But start ipsec, only one of them is established
(the second one in config). If I delete the second one, and restart
ipsec, the first one is established instead. Does anybody have any
idea what is going on? Is this because, we use left=192.168.20.190 for
both tunnels or is because of same IDs on the left side?

Thanks
Ali Masoudi

ipsec.conf:
###########################################################
config setup
        uniqueids="no"

conn %default
        keyingtries="0"
        leftsendcert="always"

###########################################################
conn t-218
        authby="rsasig"
        auto="start"
        type="tunnel"
        compress="no"
        rekeymargin="540"
        left="192.168.20.190"
        leftid="192.168.20.190"
        leftsubnet="192.168.214.214/32"
        right="192.168.20.218"
        rightid="192.168.20.218"
        rightsubnet="192.168.50.5/32"
        ike="aes128-md5-modp4096"
        esp="3des-md5-modp1024"
        keylife="3600"
        ikelifetime="3600"
        leftrsasigkey=/usr/local/etc/ipsec.d/private/local_pub_t-218.pem

rightrsasigkey="0sAQPGMU0kl6uWdBJRrW93KfYn3rtrim0HRRQCNAVbE9F/8z9wBmdj0gt3EymD//+cC34foHuCbwXB2ikoDb5+9P/IrLDvFcehIP1n7gqXTEbBXoyTDzqDg/TKE84spy2mg22wpaiMXVGw7OrG7ojag70oWVUGf5EBFuwKVuGYegeNFXkMAY4j4SFXAZaaRfChG/BoMAQVkGQ0/oINBjbDsZqfIE5nVp/75KDoimiJ+YRJENU5AnzjxRKgxAs9X96+PnOnIFrj7sAwiIdA8TegOdHINht7GYNFFM7Ab5p2HuTcKCKX7fFUDdpx2hVMrAVjI/Z5OOwjo/99v07J2F1eJBFZ"

        keyexchange="ikev1"
        dpdaction = restart
        dpddelay = 30s
        dpdtimeout = 60s
###########################################################
conn t-110
        authby="rsasig"
        auto="start"
        type="tunnel"
        compress="no"
        rekeymargin="540"
        left="192.168.20.190"
        leftid="192.168.20.190"
        leftsubnet="192.168.214.214/32"
        right="192.168.20.110"
        rightid="192.168.20.110"
        rightsubnet="192.168.100.10/32"
        ike="3des-md5-modp4096"
        esp="aes128-sha1-modp1024"
        keylife="3600"
        ikelifetime="3600"
        leftrsasigkey=/usr/local/etc/ipsec.d/private/local_pub_t-110.pem
              rightrsasigkey="0sAwEAAbMOsSgRv7ji2IsnVf8qFcwIbqkdNhk0ZCKXdg1U3ynaYCaQEaEh9vyRUvVijkDf/n8VMsg8BDov9YTgi1u4ArftSD9m91RUqrhgjVVBSrCAHUE8d9Q1NHjpJHX5Uf/9lqQSziPm4YhKzIOkwEmIl2iOJSrSPUCMW7qJ5sTEF+AQtf7KFQjgfty71XBm+kAe4OrnU62T0BQhGDMqfhelMkrM9RWOKCUdPH7ngtv0X33B0YnRfnrtnGORCNnuwrI+jgeAjg769pBu2CQWVmIxfcv1/gAV+NLUYnIKRh6+RdEO5iyvx8ByaXLvRKoN2Iu9WDDoFh2oKHy0OutXKpQ6MsM="

        keyexchange="ikev1"
        dpdaction = restart
        dpddelay = 30s
        dpdtimeout = 60s
###########################################################

ipsec.secrets:
###########################################################
192.168.20.218 :  RSA test-218-190.pem
###########################################################
192.168.20.110 :  RSA rsa-110.pem

More information about the Users mailing list