[strongSwan] How to select a specific conn
Robert Dahlem
Robert.Dahlem at gmx.net
Fri Dec 28 19:08:40 CET 2018
I found something out myself: if you have rightid=someusername on the
server and a matching leftid=someusername then the server prefers the
matching connection. I will have to investigate a bit more about the
(apparently) undocumented matching mechanism, but it looks like the way
to go.
Unfortunately it seems like you can do something like
rightid=someusername only with a strongSwan client, not with the native
Android or iOS clients. The strongSwan app only does IKEv2, so it
doesn't apply anyway.
Kind regards,
Regards
On 27.12.2018 10:35, Robert Dahlem wrote:
> Hello,
>
> I'm totally new to strongSwan. I am running strongSwan 5.5.1 on Debian
> Stretch. As a first step I set up a test scenario with IKEv1 and PSK in
> my private network. strongSwan is at 192.168.1.15
>
> /etc/ipsec.secrets:
> 192.168.1.15 : PSK "totallysecret"
> dahlem : XAUTH "secrettoo"
>
> /etc/ipsec.conf
> config setup
> uniqueids=never
> conn %default
> compress=no
> dpdaction=clear
> conn vpnserver
> auto=add
> leftauth=psk
> rightauth=psk
> rightauth2=xauth
> rightsourceip=172.28.1.0/24
>
> The client is an Android device in 192.168.1.0/24 with these settings:
> Type: IPSec Xauth PSK
> Server address: 192.168.1.15
> IPSec identifier: (not used)
> IPSec pre-shared key: totallysecret
> Username: dahlem
> Password: secrettoo
>
> Everything works fine so far. Now I would like to introduce a second
> configuration, lets say:
>
> conn vpnserver2
> [...]
> rightsourceip=172.28.2.0/24
>
> How do I get the client to choose that second configuration? I could
> probably use the "IPSec identifier", but that would force me to enable
> aggressive mode, which seems to be frowned upon.
>
> And how do I get the server to use a different PSK? In other words: what
> makes the connection between something in "conn" and a specific entry in
> ipsec.secrets?
>
> Kind regards,
> Robert
>
More information about the Users
mailing list