Project

General

Profile

Issue #3386

Multiple tunnels between initiator and responder

Added by Krishnamurthy Daulatabad 7 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.8.4
Resolution:
No feedback

Description

We have requirement like this:We need to have 2 tunnels between a initiator and a responder using the same initiator x509 certificate and be able to uniquely identify these 2 tunnels. We thought of using different leftids. But I understand that leftid must be validated by the certificate. So is there any way to achieve this?

I have given a sample configuration below (which will not work) just to explain our requirement better. We need the client/server to match different configurations for each tunnel and pick a different reqids.

Initiator swanctl.conf : (including only relevant fields)

connections {
    site-client1 {
        local_addrs = 60.0.0.2
        remote_addrs = 60.0.0.1
     local {
       id = DNS:client1.example.com
       cert {
                    file = client.crt
        }
     }
     remote {
       id = DNS:server1.example.com
     }
     children {
        site-client1 {
           reqid = 100
        }
     }
  }  

    site-client2 {
        local_addrs = 60.0.2.2
        remote_addrs = 60.0.0.1
     local {
       id = DNS:client2.example.com
       cert {
                    file = client.crt
        }
     }
     remote {
       id = DNS:server1.example.com
     }
     children {
        site-client2 {
           reqid = 200
        }
     }
 }
}

Responder swanctl.conf :

connections {
    site-client1 {
        local_addrs = 60.0.0.1
        remote_addrs = 60.0.0.2
     local {
       id = DNS:server1.example.com
       cert {
                    file = server.crt
        }
     }
     remote {
       id = DNS:client1.example.com
     }
     children {
        site-client1 {
           reqid = 100
        }
     }
  }  

    site-client2 {
        local_addrs = 60.0.0.1
        remote_addrs = 60.0.2.2
     local {
       id = DNS:server1.example.com
       cert {
                    file = server.crt
        }
     }
     remote {
       id = DNS:client2.example.com
     }
     children {
        site-client2 {
           reqid = 200
        }
     }
 }
}

Please note the cert and reqid configuration above.

History

#1 Updated by Tobias Brunner 7 months ago

  • Tracker changed from Feature to Issue
  • Description updated (diff)
  • Category set to configuration
  • Status changed from New to Feedback
  • Start date deleted (27.03.2020)
  • Affected version set to 5.8.4

But I understand that leftid must be validated by the certificate. So is there any way to achieve this?

The identities have to be different to distinguish two tunnels safely. Either the local or remote identity, so change one of them (e.g. use any SAN or the subject DN as identity if you are using certificates).

We need the client/server to match different configurations for each tunnel and pick a different reqids.

Note that duplicate policies are not supported unless different marks are used.

#2 Updated by Tobias Brunner about 1 month ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No feedback

Also available in: Atom PDF