[strongSwan] connection "templates"
Justin Pryzby
pryzby at telsasoft.com
Mon Mar 28 18:41:23 CEST 2016
I'm converting to strongswan 10+ site-site VPNs and 10 more cisco "remote
access" XAUTH+modecfg VPNs, previously handled by the VPNC client.
I've set a bunch of defaults in conn %defaults, but need to use different
values for the vpnc clients, and prefer to inherit from a "template" connection
rather than some arbitrary, earlier connection of the same type.
Is it possible to define a "conn" section, not as real connection, but rather
as a template which won't be attempted to be started, or listed in a list of
connections?
I have:
conn %default
#auto=start
auto=route
keyingtries=%forever
dpdaction=hold
closeaction=hold
#
left=50.244.222.1
#leftid=50.244.222.1
#
authby=secret
compress=yes
#XXX:
keyexchange=ikev1
conn old-vpnc
left=50.244.222.1
leftsubnet= # Nothing/dynamic
modeconfig=pull
leftsourceip=%config4 #%modconfig6
leftauth=psk
rightauth=psk
leftauth2=xauth
xauth=client
#
keyexchange=ikev1
aggressive=yes
ikelifetime=2147483s
#
# vpnc does something like this, plus reserved, plus variations on
# keylengths:
ike=aes256-sha-modp1024,aes256-md5-modp1024,aes192-sha-modp1024,aes192-md5-modp1024,aes128-sha-modp1024,aes128-md5-modp1024,3des-sha-modp1024,3des-md5-modp1024,des-sha-modp1024,des-md5-modp1024,aes256-sha-modp1024,aes256-md5-modp1024,aes192-sha-modp1024,aes192-md5-modp1024,aes128-sha-modp1024,aes128-md5-modp1024,3des-sha-modp1024,3des-md5-modp1024,des-sha-modp1024,des-md5-modp1024
#
# We need to masquerade, not just add ip route .. src ..
leftupdown="sh -xc 'exec >>/var/log/ipsec/updown.log 2>&1; echo; echo \"<<`date`\"; [ \"${PLUTO_VERB#up-}\" != \"$PLUTO_VERB\" ] && x=-I ; [ $? -eq 0 ] || x=-D; iptables -t nat $x POSTROUTING -d $PLUTO_PEER_CLIENT -o $PLUTO_INTERFACE -j SNAT --to $PLUTO_MY_SOURCEIP -m policy --dir out --pol none -m comment --comment \"ipsec:$PLUTO_CONNECTION\" '"
But that means I have this odd output:
$ sudo ipsec statusall |grep vpnc
old-vpnc: 50.244.222.1...%any IKEv1 Aggressive, dpddelay=30s
old-vpnc: local: [50.244.222.1] uses pre-shared key authentication
old-vpnc: local: uses XAuth authentication: any
old-vpnc: remote: uses pre-shared key authentication
old-vpnc: child: dynamic === dynamic TUNNEL, dpdaction=hold
And:
Mar 27 16:56:00 charmander ipsec_starter[9337]: configuration 'old-vpnc' not found
[...]
Mar 27 16:56:00 charmander ipsec_starter[9337]: routing 'old-vpnc' failed
And:
2016-03-24 23:18:28 08[CFG] received stroke: add connection 'old-vpnc'
2016-03-24 23:18:28 08[CFG] conn old-vpnc
[...]
2016-03-24 23:18:28 08[CFG] added configuration 'old-vpnc'
[...]
2016-03-24 23:18:28 14[CFG] installing trap failed, remote address unknown
And:
2016-03-24 23:18:34 14[NET] <16> received packet: from xx.xx1.xx0.xx[500] to 50.244.222.1[500] (84 bytes)
[...]
2016-03-24 23:18:34 14[CFG] <16> looking for pre-shared key peer configs matching 50.244.222.1...xx.xx1.xx0.xx[xx.xx1.xx0.xx]
2016-03-24 23:18:34 14[CFG] <16> candidate "old-vpnc", match: 1/1/1052 (me/other/ike)
2016-03-24 23:18:34 14[CFG] <16> candidate "mtpxx.ike", match: 1/20/3100 (me/other/ike)
2016-03-24 23:18:34 14[CFG] <16> selected peer config "mtpxx.ike"
More information about the Users
mailing list