IPSec VPN profiles use swanctl.conf for configuration. If we add more than one profile, then this file will not be generated properly.
An example:
set vpn ipsec esp-group ESP01 compression 'disable' set vpn ipsec esp-group ESP01 lifetime '3600' set vpn ipsec esp-group ESP01 mode 'tunnel' set vpn ipsec esp-group ESP01 pfs 'dh-group14' set vpn ipsec esp-group ESP01 proposal 10 encryption 'aes256' set vpn ipsec esp-group ESP01 proposal 10 hash 'sha256' set vpn ipsec ike-group IKE01 ikev2-reauth 'no' set vpn ipsec ike-group IKE01 key-exchange 'ikev2' set vpn ipsec ike-group IKE01 lifetime '28800' set vpn ipsec ike-group IKE01 proposal 10 dh-group '14' set vpn ipsec ike-group IKE01 proposal 10 encryption 'aes256' set vpn ipsec ike-group IKE01 proposal 10 hash 'sha256' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec profile DMVPN-SPOKE10 authentication mode 'pre-shared-secret' set vpn ipsec profile DMVPN-SPOKE10 authentication pre-shared-secret 'SECRET' set vpn ipsec profile DMVPN-SPOKE10 bind tunnel 'tun10' set vpn ipsec profile DMVPN-SPOKE10 esp-group 'ESP01' set vpn ipsec profile DMVPN-SPOKE10 ike-group 'IKE01' set vpn ipsec profile DMVPN-SPOKE11 authentication mode 'pre-shared-secret' set vpn ipsec profile DMVPN-SPOKE11 authentication pre-shared-secret 'SECRET' set vpn ipsec profile DMVPN-SPOKE11 bind tunnel 'tun11' set vpn ipsec profile DMVPN-SPOKE11 esp-group 'ESP01' set vpn ipsec profile DMVPN-SPOKE11 ike-group 'IKE01'
And generated swanctl.conf:
# generated by /opt/vyatta/sbin/dmvpn-config.pl connections { dmvpn-DMVPN-SPOKE10-tun10 { proposals = aes256-sha256-modp2048 version = 2 rekey_time = 28800s keyingtries = 0 local { auth = psk } remote { auth = psk } children { dmvpn { esp_proposals = aes256-sha256-modp2048 rekey_time = 3600s rand_time = 540s local_ts = dynamic[gre] remote_ts = dynamic[gre] mode = tunnel } } } } secrets { ike-dmvpn-tun10 { secret = SECRET } } dmvpn-DMVPN-SPOKE11-tun11 { proposals = aes256-sha256-modp2048 version = 2 rekey_time = 28800s keyingtries = 0 local { auth = psk } remote { auth = psk } children { dmvpn { esp_proposals = aes256-sha256-modp2048 rekey_time = 3600s rand_time = 540s local_ts = dynamic[gre] remote_ts = dynamic[gre] mode = tunnel } } } } secrets { ike-dmvpn-tun11 { secret = SECRET } }
One connections { header is missed and these file is not loaded by strongSwan:
/etc/swanctl/swanctl.conf:54: syntax error, unexpected '}', expecting $end or NAME or NEWLINE [}] invalid config file '/etc/swanctl/swanctl.conf' no authorities found, 0 unloaded no pools found, 0 unloaded no connections found, 0 unloaded