[strongSwan] multiple id for same ipsec peer
Tobias Brunner
tobias at strongswan.org
Tue May 8 11:39:18 CEST 2018
Hi Marco,
> I would like to ask if this swanctl.conf file is
> equivalent to the above ipsec.conf:
No, you just redefined the value of `id`. There is currently no exact
equivalent for the `also` keyword in swanctl.conf, so you have to work
with `include`. That is, you extract all the shared settings into a
separate file, e.g.
customer.conf:
local_addrs = my_public
remote_addrs = customer_public
local {
auth = psk
id = my_public
}
remote {
auth = psk
}
children {
customer-networks {
local_ts = 10.28.155.0/24
remote_ts = 10.10.92.0
esp_proposals = aes256-sha384-ecp521
}
}
proposals = aes256-sha384-ecp521
send_cert = never
send_certreq = no
and then you include that file where appropriate and override settings
that are different, i.e. this is what the `connections` section of
swanctl.conf could look like:
connections {
customer-public {
include customer.conf
remote {
id = customer_public
}
children {
customer-networks {
start_action = trap
}
}
}
customer-private {
include customer.conf
remote {
id = 192.168.53.22
}
}
}
Similarly, you redefined the ID that is associated with the PSK.
However, there you can define multiple identities (as suggested by
Christian) by adding multiple keys with the `id` prefix.
Regards,
Tobias
More information about the Users
mailing list