[strongSwan] multiple RSA connections

Tue Oct 16 07:19:55 CEST 2012

It seems that nobody doesn't have any idea about this yet. Is there
anybody who also faced this problem before?

On Tue, Oct 9, 2012 at 5:44 PM, Ali Masoudi <masoudi1983 at gmail.com> wrote:
> Hi
>
> I supposed to think that strongswan supports multiple private keys for
> multiple connections, for example in RSA connections. But when I start
> ipsec with config file that mentioned below. The configs at other ends
> are like this config. But start ipsec, only one of them is established
> (the second one in config). If I delete the second one, and restart
> ipsec, the first one is established instead. Does anybody have any
> idea what is going on? Is this because, we use left=192.168.20.190 for
> both tunnels or is because of same IDs on the left side?
>
> Thanks
> Ali Masoudi
>
> ipsec.conf:
> ###########################################################
> config setup
>         uniqueids="no"
>
> conn %default
>         keyingtries="0"
>         leftsendcert="always"
>
> ###########################################################
> conn t-218
>         authby="rsasig"
>         auto="start"
>         type="tunnel"
>         compress="no"
>         rekeymargin="540"
>         left="192.168.20.190"
>         leftid="192.168.20.190"
>         leftsubnet="192.168.214.214/32"
>         right="192.168.20.218"
>         rightid="192.168.20.218"
>         rightsubnet="192.168.50.5/32"
>         ike="aes128-md5-modp4096"
>         esp="3des-md5-modp1024"
>         keylife="3600"
>         ikelifetime="3600"
>         leftrsasigkey=/usr/local/etc/ipsec.d/private/local_pub_t-218.pem
>
> rightrsasigkey="0sAQPGMU0kl6uWdBJRrW93KfYn3rtrim0HRRQCNAVbE9F/8z9wBmdj0gt3EymD//+cC34foHuCbwXB2ikoDb5+9P/IrLDvFcehIP1n7gqXTEbBXoyTDzqDg/TKE84spy2mg22wpaiMXVGw7OrG7ojag70oWVUGf5EBFuwKVuGYegeNFXkMAY4j4SFXAZaaRfChG/BoMAQVkGQ0/oINBjbDsZqfIE5nVp/75KDoimiJ+YRJENU5AnzjxRKgxAs9X96+PnOnIFrj7sAwiIdA8TegOdHINht7GYNFFM7Ab5p2HuTcKCKX7fFUDdpx2hVMrAVjI/Z5OOwjo/99v07J2F1eJBFZ"
>
>         keyexchange="ikev1"
>         dpdaction = restart
>         dpddelay = 30s
>         dpdtimeout = 60s
> ###########################################################
> conn t-110
>         authby="rsasig"
>         auto="start"
>         type="tunnel"
>         compress="no"
>         rekeymargin="540"
>         left="192.168.20.190"
>         leftid="192.168.20.190"
>         leftsubnet="192.168.214.214/32"
>         right="192.168.20.110"
>         rightid="192.168.20.110"
>         rightsubnet="192.168.100.10/32"
>         ike="3des-md5-modp4096"
>         esp="aes128-sha1-modp1024"
>         keylife="3600"
>         ikelifetime="3600"
>         leftrsasigkey=/usr/local/etc/ipsec.d/private/local_pub_t-110.pem
>               rightrsasigkey="0sAwEAAbMOsSgRv7ji2IsnVf8qFcwIbqkdNhk0ZCKXdg1U3ynaYCaQEaEh9vyRUvVijkDf/n8VMsg8BDov9YTgi1u4ArftSD9m91RUqrhgjVVBSrCAHUE8d9Q1NHjpJHX5Uf/9lqQSziPm4YhKzIOkwEmIl2iOJSrSPUCMW7qJ5sTEF+AQtf7KFQjgfty71XBm+kAe4OrnU62T0BQhGDMqfhelMkrM9RWOKCUdPH7ngtv0X33B0YnRfnrtnGORCNnuwrI+jgeAjg769pBu2CQWVmIxfcv1/gAV+NLUYnIKRh6+RdEO5iyvx8ByaXLvRKoN2Iu9WDDoFh2oKHy0OutXKpQ6MsM="
>
>         keyexchange="ikev1"
>         dpdaction = restart
>         dpddelay = 30s
>         dpdtimeout = 60s
> ###########################################################
>
> ipsec.secrets:
> ###########################################################
> 192.168.20.218 :  RSA test-218-190.pem
> ###########################################################
> 192.168.20.110 :  RSA rsa-110.pem