Home / server / Questions / 1097369
Accepted
Flo
Asked: 2022-03-31 02:22:43 +0800 CST

Strongswan / Ipsec multiple roadwarrior connections different subnets

  • 772

I'm trying to setup a StrongSwan VPN Server which should host multiple (Windows 10 - internal vpn client) roadwarrior connections, but different subnets, depending on the clients certificate.

root@VPN:/# ipsec version

Linux strongSwan U5.8.2/K5.4.0-26-generic

My setup has 2 pairs of public and private key, using a different CNs let's say vpn-dev.mycom.com and vpn-liv.mycom.com. The used ipsec.conf looks something like this:

conn vpn-dev
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    ikelifetime=25200s
    leftid=vpn-dev.mycom.com
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.100.0.0/16-10.100.254.254/16
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    rightcert=ca-cert.pem
    eap_identity=%identity
    ike=aes128-sha1-modp1024


conn vpn-liv
    also=vpn-dev
    leftid=vpn-liv.mycom.com
    leftcert=liv-server-cert.pem
    rightsourceip=10.200.0.0/16-10.200.254.254/16
    rightcert=liv-ca-cert.pem

both certificate keys are also stored in the ipsec.secrets

vpn-dev.mycom.com : RSA "server-key.pem"
vpn-liv.mycom.com : RSA "liv-server-key.pem"

someuser : EAP "somepassword"

However as soon as i try to connect to the strongswan instance, the vpn-dev connection is used and strongswan is not switching to conn vpn-liv

here are the logs during a try:

Mar 30 08:47:48 VPN charon: 16[NET] received packet: from X.X.X.X[64558] to X.X.X.X[500] (1084 bytes)
Mar 30 08:47:48 VPN charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Mar 30 08:47:48 VPN charon: 16[IKE] received MS-Negotiation Discovery Capable vendor ID
Mar 30 08:47:48 VPN charon: 16[IKE] X.X.X.X is initiating an IKE_SA
Mar 30 08:47:48 VPN charon: 16[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 30 08:47:48 VPN charon: 16[IKE] local host is behind NAT, sending keep alives
Mar 30 08:47:48 VPN charon: 16[IKE] remote host is behind NAT
Mar 30 08:47:48 VPN charon: 16[NET] sending packet: from X.X.X.X[500] to X.X.X.X[64558] (328 bytes)
Mar 30 08:47:48 VPN charon: 06[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (576 bytes)
Mar 30 08:47:48 VPN charon: 10[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (576 bytes)
Mar 30 08:47:48 VPN charon: 05[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (576 bytes)
Mar 30 08:47:48 VPN charon: 14[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (368 bytes)
Mar 30 08:47:48 VPN charon: 14[IKE] received cert request for "CN=PRIV VPN LIV CA"
Mar 30 08:47:48 VPN charon: 14[IKE] received 69 cert requests for an unknown ca
Mar 30 08:47:48 VPN charon: 14[CFG] looking for peer configs matching X.X.X.X[%any]...X.X.X.X[192.168.0.117]

Mar 30 08:47:48 VPN charon: 14[CFG] selected peer config 'vpn-dev' # << here it has not selected vpn-live, even if the earlier provided private key is only matching vpn-live

Mar 30 08:47:48 VPN charon: 14[IKE] initiating EAP_IDENTITY method (id 0x00)
Mar 30 08:47:48 VPN charon: 14[IKE] peer supports MOBIKE
Mar 30 08:47:48 VPN charon: 14[IKE] authentication of 'vpn-dev.mycom.com' (myself) with RSA     signature successful
Mar 30 08:47:48 VPN charon: 14[IKE] sending end entity cert "CN=vpn-dev.mycom.com"
Mar 30 08:47:49 VPN charon: 14[IKE] sending cert request for "CN=PRIV VPN DEV CA"
Mar 30 08:47:49 VPN charon: 14[IKE] sending cert request for "CN=PRIV VPN LIV CA"
Mar 30 08:47:49 VPN charon: 14[NET] sending packet: from X.X.X.X[500] to X.X.X.X[64548] (364 bytes)
Mar 30 08:47:49 VPN charon: 06[NET] received packet: from X.X.X.X[64618] to X.X.X.X[4500] (92 bytes)
Mar 30 08:47:49 VPN charon: 06[IKE] received (28) error notify

the goal is basically to host 2 vpn endpoints on one machine but provide different ip ranges depending on the login / used certificate.

The local configuration is done with (powershell)

Import-Certificate -FilePath liv-ca-cert.pem -CertStoreLocation 'Cert:\LocalMachine\Root'
Add-VpnConnection -Name 'LIV VPN' -ServerAddress 'vpn-live.mycom.com' -AuthenticationMethod Eap -IdleDisconnectSeconds 43200

am i missing something? is my setup misconfigured? or is this simply not possible with strongswan and windows 10 internal vpn client?

windows vpn ipsec strongswan point-to-site-vpn

3 Answers

  1. It's only possible to switch connections based on the server identity/certificate if either

    • the clients send a remote identity (IDr) in their IKE_AUTH request, which many clients don't (in particular Windows), otherwise, there is no identity to match, so the first connection will be used

    or

    • if the FQDNs map to different IP addresses, which can be configured as local addresses for the connections so the correct connection is selected early on
    • 0
  2. Best Answer

    Turns out it is not possible using the certificate as they are not used to identify users on the server.

    So i ended up using a workaround which is described in this answer which helps to evaluate the eap_identiy.

    Now my clients use the same certificate, but based on the logins i can decide which subnet they are going to use.

    My ipsec.conf now looks something like this:

    conn eap-shared
   type=tunnel
   ike=aes128-sha1-modp1024
   rightauth=eap-mschapv2
   leftcert=server-cert.pem

conn eap-init
   also=eap-shared
   # this config is used to do the EAP-Identity exchange and the
   # authentication of client and server
   eap_identity=%identity
   # the following is used to force a connection switch after
   # the authentication completed
   rightgroups=thisseemsirrelevant
   auto=add

conn eap-liv
   also=eap-shared
   eap_identity=*@liv-some-domain.com
   rightsourceip=10.200.0.0/16-10.200.254.254/16
   auto=add

conn eap-dev
   also=eap-shared
   eap_identity=*@dev-some-domain.com
   rightsourceip=10.100.0.0/16-10.100.254.254/16
   auto=add

    might not be the most elegant solution but works in my case.

    • 0

  3. For multiple conn configs with same authenticate method, Strongswan is able to select the proper one based on the client's identity.

    Using two conn configs for example:

    1. Both right side using pubkey, we can use rightca as constraint:
        conn dev-network_ikev2-cert
        rightauth=pubkey
        rightca="C=CN, O=Sample, CN=Develop CA"
        rightsourceip=10.100.0.0/16
        rightdns=8.8.8.8
    
    conn test-network_ikev2-cert
        rightauth=pubkey
        rightca="C=CN, O=Sample, CN=Testing CA"
        rightsourceip=10.200.0.0/16
        rightdns=8.8.8.8

    • In this setup, client with certificates issued by Develop CA will select config dev-network_ikev2-cert directly.

    • If client using certificates issued by Testing CA, strongswan will first select config dev-network_ikev2-cert, then output constraint check failed: peer not authenticated by CA 'C=CN, O=Sample, CN=Develop CA', and select the next one test-network_ikev2-cert.

    1. Both right side using eap-mschapv2, we can use eap_identity as constraint:
        conn dev-network_ikev2-eap
        rightauth=eap-mschapv2
        eap_identity=*@dev.com
        rightsourceip=10.100.0.0/16
        rightdns=8.8.8.8
    
    conn test-network_ikev2-eap
        rightauth=eap-mschapv2
        eap_identity=*@test.com
        rightsourceip=10.200.0.0/16
        rightdns=8.8.8.8

    This is the method used by Flo. Strongswan will do the similar check logic as using pubkey.

    • If client using identity in *@test.com, strongswan will first select dev-network_ikev2-eap, then find that constraint check failed: EAP identity '*@dev.com' required, and select the next one test-network_ikev2-eap.

    Hope this will help.

    • 0