[strongSwan] Questions Regarding setup. Do I really need multiple swan instances?

Konstantin Nebel konnebel at gmx.de
Wed Nov 5 17:10:03 CET 2014


my setup:

Strongswan Debian Server: AND <=> <=>
X.X.X.X (road warrior) <=>

first of all. I know now strongswan, racoon and openswan. And after 5 
minute I realised strongswan is the best even openswan is similar to 
Strongswan. Thank you ! ;)

For the road warrior I decided to use l2tp in combination with xl2tp which is 
working for great for its own.

The Tunnels to both fritzboxes are also running great for its own. All also to 
the same time.

But the problem I have is that in some cases the road warriors are also 
connected to the LAN @ fritzbox1/2 which is not working because the 
preshared key for that ips are different defined.

I thought I can define the ipsec.secrets like that because I thought the 
whole line must match for the preshared key. In my tests I saw I am wrong: : PSK "fritz1" : PSK "fritz2" %any : PSK "other PSK"

The problem I got is, that if I am in the network and I have 
to use the psk for fritzbox 1 or 2... not the one for "OTHER PSK".

So I decided to have more than one Strongswan instance (on different IPs 
or Ports... I dont care). If I dont want to recompile strongswan I have to use 
Strongswan 5.2.1 or newer. Is that right?

Or do I forget a possibility in ipsec which I missed? I hope my problem is 
clear enough explained.

I have no question to get the tunnels working itself. This is already working 
great. I just have questions how to handle the preshared keys.

Why am I using l2tp? It is widely common and is working without additional 
client on iOS, Windows, Android, Linux and MacOS which I really like and has 
enough security I think.

Let me know about your thoughts. Hope I broke no rules of the mailing list.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141105/15571686/attachment.html>

More information about the Users mailing list