Strongswan / Ipsec multiple roadwarrior connections different subnets

Question

I'm trying to setup a StrongSwan VPN Server which should host multiple (Windows 10 - internal vpn client) roadwarrior connections, but different subnets, depending on the clients certificate.

root@VPN:/# ipsec version

Linux strongSwan U5.8.2/K5.4.0-26-generic

My setup has 2 pairs of public and private key, using a different CNs let's say vpn-dev.mycom.com and vpn-liv.mycom.com. The used ipsec.conf looks something like this:

conn vpn-dev
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    ikelifetime=25200s
    leftid=vpn-dev.mycom.com
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.100.0.0/16-10.100.254.254/16
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    rightcert=ca-cert.pem
    eap_identity=%identity
    ike=aes128-sha1-modp1024


conn vpn-liv
    also=vpn-dev
    leftid=vpn-liv.mycom.com
    leftcert=liv-server-cert.pem
    rightsourceip=10.200.0.0/16-10.200.254.254/16
    rightcert=liv-ca-cert.pem

both certificate keys are also stored in the ipsec.secrets

vpn-dev.mycom.com : RSA "server-key.pem"
vpn-liv.mycom.com : RSA "liv-server-key.pem"

someuser : EAP "somepassword"

However as soon as i try to connect to the strongswan instance, the vpn-dev connection is used and strongswan is not switching to conn vpn-liv

here are the logs during a try:

Mar 30 08:47:48 VPN charon: 16[NET] received packet: from X.X.X.X[64558] to X.X.X.X[500] (1084 bytes)
Mar 30 08:47:48 VPN charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Mar 30 08:47:48 VPN charon: 16[IKE] received MS-Negotiation Discovery Capable vendor ID
Mar 30 08:47:48 VPN charon: 16[IKE] X.X.X.X is initiating an IKE_SA
Mar 30 08:47:48 VPN charon: 16[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 30 08:47:48 VPN charon: 16[IKE] local host is behind NAT, sending keep alives
Mar 30 08:47:48 VPN charon: 16[IKE] remote host is behind NAT
Mar 30 08:47:48 VPN charon: 16[NET] sending packet: from X.X.X.X[500] to X.X.X.X[64558] (328 bytes)
Mar 30 08:47:48 VPN charon: 06[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (576 bytes)
Mar 30 08:47:48 VPN charon: 10[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (576 bytes)
Mar 30 08:47:48 VPN charon: 05[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (576 bytes)
Mar 30 08:47:48 VPN charon: 14[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (368 bytes)
Mar 30 08:47:48 VPN charon: 14[IKE] received cert request for "CN=PRIV VPN LIV CA"
Mar 30 08:47:48 VPN charon: 14[IKE] received 69 cert requests for an unknown ca
Mar 30 08:47:48 VPN charon: 14[CFG] looking for peer configs matching X.X.X.X[%any]...X.X.X.X[192.168.0.117]

Mar 30 08:47:48 VPN charon: 14[CFG] selected peer config 'vpn-dev' # << here it has not selected vpn-live, even if the earlier provided private key is only matching vpn-live

Mar 30 08:47:48 VPN charon: 14[IKE] initiating EAP_IDENTITY method (id 0x00)
Mar 30 08:47:48 VPN charon: 14[IKE] peer supports MOBIKE
Mar 30 08:47:48 VPN charon: 14[IKE] authentication of 'vpn-dev.mycom.com' (myself) with RSA     signature successful
Mar 30 08:47:48 VPN charon: 14[IKE] sending end entity cert "CN=vpn-dev.mycom.com"
Mar 30 08:47:49 VPN charon: 14[IKE] sending cert request for "CN=PRIV VPN DEV CA"
Mar 30 08:47:49 VPN charon: 14[IKE] sending cert request for "CN=PRIV VPN LIV CA"
Mar 30 08:47:49 VPN charon: 14[NET] sending packet: from X.X.X.X[500] to X.X.X.X[64548] (364 bytes)
Mar 30 08:47:49 VPN charon: 06[NET] received packet: from X.X.X.X[64618] to X.X.X.X[4500] (92 bytes)
Mar 30 08:47:49 VPN charon: 06[IKE] received (28) error notify

the goal is basically to host 2 vpn endpoints on one machine but provide different ip ranges depending on the login / used certificate.

The local configuration is done with (powershell)

Import-Certificate -FilePath liv-ca-cert.pem -CertStoreLocation 'Cert:\LocalMachine\Root'
Add-VpnConnection -Name 'LIV VPN' -ServerAddress 'vpn-live.mycom.com' -AuthenticationMethod Eap -IdleDisconnectSeconds 43200

am i missing something? is my setup misconfigured? or is this simply not possible with strongswan and windows 10 internal vpn client?

score 0 · Answer 1 · answered Mar 30 '22 at 13:05

0

It's only possible to switch connections based on the server identity/certificate if either

the clients send a remote identity (IDr) in their IKE_AUTH request, which many clients don't (in particular Windows), otherwise, there is no identity to match, so the first connection will be used

or

if the FQDNs map to different IP addresses, which can be configured as local addresses for the connections so the correct connection is selected early on

answered Mar 30 '22 at 13:05

ecdsa

3,800
12
26

that's only partly correct [as i learned here](https://serverfault.com/questions/908098/strongswan-clients-access-rights). Using the `rightgroups` workaround you can make use of the `eap_identity` property to identify users. – Flo Mar 30 '22 at 14:34
You might want to read your own question again ;) It was explicitly about selecting a config based on the server identity/certificate, not the client identity. (Also, if you haven't noticed, I wrote the other answer :) – ecdsa Mar 31 '22 at 08:30
sorry that there was a misunderstanding, i was talking about the certificates used by the clients as i stated with "depending on the login / used certificate" - also the configs might tell with `rightcert` – Flo Mar 31 '22 at 09:08
The clients don't use any certificates to authenticate themselves, whether with your old or your new config. That `rightcert` setting would have broken your config anyway as none of the client's will ever be authenticating with the actual CA certificate. If you wanted clients to authenticate with a certificate issued by a specific (intermediate) CA, the correct setting would have been `rightca`, but then `rightauth` would also have to be set to `pubkey` or `eap-tls` and not `eap-mschapv2`. And clients obviously would require individual certs/keys and appropriate configs. – ecdsa Mar 31 '22 at 09:21
that's clear to me now, but wasn't my point. thanks anyway. – Flo Mar 31 '22 at 10:08

score 0 · Accepted Answer · answered Mar 30 '22 at 14:44

Turns out it is not possible using the certificate as they are not used to identify users on the server.

So i ended up using a workaround which is described in this answer which helps to evaluate the eap_identiy.

Now my clients use the same certificate, but based on the logins i can decide which subnet they are going to use.

My ipsec.conf now looks something like this:

conn eap-shared
   type=tunnel
   ike=aes128-sha1-modp1024
   rightauth=eap-mschapv2
   leftcert=server-cert.pem

conn eap-init
   also=eap-shared
   # this config is used to do the EAP-Identity exchange and the
   # authentication of client and server
   eap_identity=%identity
   # the following is used to force a connection switch after
   # the authentication completed
   rightgroups=thisseemsirrelevant
   auto=add

conn eap-liv
   also=eap-shared
   eap_identity=*@liv-some-domain.com
   rightsourceip=10.200.0.0/16-10.200.254.254/16
   auto=add

conn eap-dev
   also=eap-shared
   eap_identity=*@dev-some-domain.com
   rightsourceip=10.100.0.0/16-10.100.254.254/16
   auto=add

might not be the most elegant solution but works in my case.

score 0 · Answer 3 · answered May 12 '22 at 08:28

For multiple conn configs with same authenticate method, Strongswan is able to select the proper one based on the client's identity.

Using two conn configs for example:

Both right side using pubkey, we can use rightca as constraint:

    conn dev-network_ikev2-cert
        rightauth=pubkey
        rightca="C=CN, O=Sample, CN=Develop CA"
        rightsourceip=10.100.0.0/16
        rightdns=8.8.8.8
    
    conn test-network_ikev2-cert
        rightauth=pubkey
        rightca="C=CN, O=Sample, CN=Testing CA"
        rightsourceip=10.200.0.0/16
        rightdns=8.8.8.8

In this setup, client with certificates issued by Develop CA will select config dev-network_ikev2-cert directly.
If client using certificates issued by Testing CA, strongswan will first select config dev-network_ikev2-cert, then output constraint check failed: peer not authenticated by CA 'C=CN, O=Sample, CN=Develop CA', and select the next one test-network_ikev2-cert.

Both right side using eap-mschapv2, we can use eap_identity as constraint:

    conn dev-network_ikev2-eap
        rightauth=eap-mschapv2
        eap_identity=*@dev.com
        rightsourceip=10.100.0.0/16
        rightdns=8.8.8.8
    
    conn test-network_ikev2-eap
        rightauth=eap-mschapv2
        eap_identity=*@test.com
        rightsourceip=10.200.0.0/16
        rightdns=8.8.8.8

This is the method used by Flo. Strongswan will do the similar check logic as using pubkey.

If client using identity in *@test.com, strongswan will first select dev-network_ikev2-eap, then find that constraint check failed: EAP identity '*@dev.com' required, and select the next one test-network_ikev2-eap.

Hope this will help.

Strongswan / Ipsec multiple roadwarrior connections different subnets

3 Answers3