0

I need my strongswan server to operate on 2 domain names . ipsec.conf currently contains : [email protected]
How can I add another domain ? Is this syntax gonna work?

[email protected],@sub2.domain.com

Below is the current config :

#global configuration IPsec
#chron logger
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn iOS_psk
    keyexchange=ikev1
    fragmentation=yes
    left=%defaultroute
    leftauth=psk
    leftsubnet=0.0.0.0/0
    right=%any
    rightauth=psk
    rightauth2=xauth-pam
    rightsourceip=10.31.2.0/24
    auto=add

conn android
        keyexchange=ikev1
        ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
        esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
        rekey=no
        leftauth=psk
        left=51.51.51.51
        leftsubnet=0.0.0.0/0
        right=%any
        rightauth2=xauth-pam
        modeconfig=push
        auto=add






#define new ipsec connection
conn ios-ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
    esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    [email protected]
    leftcert=fullchain.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.15.1.0/24
    rightdns=4.2.2.4,8.8.8.8
    rightsendcert=never
    eap_identity=%identity

conn windows7
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    rekey=no
    left=%defaultroute
    leftauth=pubkey
    leftsubnet=0.0.0.0/0
    leftcert=fullchain.pem
    right=%any
    rightauth=eap-mschapv2
    rightsourceip=10.31.2.0/24
    rightsendcert=never
    eap_identity=%any
    auto=add

Now this config works perfect for one domain which is sub.domain.com . what I'm looking for is to create another connection with a new subdomain like sub2.domain.com which does exactly the same but I'm struggling with the syntax .

5
  • Many client don't send a remote identity. Are both remote identities actually sent by different client (i.e. there is a config mismatch)? Or why does a single identity not work?
    – ecdsa
    Commented Dec 8, 2020 at 10:01
  • what I'm trying to achieve here is to be able to connect to ikev2 vpn on iOS with 2 addresses ! I want both sub.domain.com and sub2.domain.com to connect but it seems only one works . Commented Dec 8, 2020 at 10:13
  • What exactly is the problem? Does your server certificate contain both domain names as subjectAltNames? Without logs (preferably from both ends) it's hard to help you.
    – ecdsa
    Commented Dec 8, 2020 at 10:38
  • I edited my question and included my current ipsec.conf file which works great with domain sub.domain.com . I want to know how I should add another domain to this configuration? I already tried creating a new config block with the new address and fullchainnew.pem certificate file which includes certificate for sub2.domain.com but it didn't work . How should I go about this ? Commented Dec 8, 2020 at 12:15
  • If the client does not send a remote identity (no logs, so no idea if that's the issue), the second config won't help you (in particular if you use separate certificates, with a single certificate it might work). The first one will be selected as the server has no reason to switch. You'd have to use separate IP addresses for each domain (configure the IP/hostname in left for each config) for the server to select a different one. If the client actually does send a remote identity, the issue might be something else, but again, without logs, no idea.
    – ecdsa
    Commented Dec 8, 2020 at 13:08

0

You must log in to answer this question.

Browse other questions tagged .