IPSec VPN profiles use swanctl.conf for configuration. If we add more than one profile, then this file will not be generated properly.
An example:
set vpn ipsec esp-group ESP01 compression 'disable' set vpn ipsec esp-group ESP01 lifetime '3600' set vpn ipsec esp-group ESP01 mode 'tunnel' set vpn ipsec esp-group ESP01 pfs 'dh-group14' set vpn ipsec esp-group ESP01 proposal 10 encryption 'aes256' set vpn ipsec esp-group ESP01 proposal 10 hash 'sha256' set vpn ipsec ike-group IKE01 ikev2-reauth 'no' set vpn ipsec ike-group IKE01 key-exchange 'ikev2' set vpn ipsec ike-group IKE01 lifetime '28800' set vpn ipsec ike-group IKE01 proposal 10 dh-group '14' set vpn ipsec ike-group IKE01 proposal 10 encryption 'aes256' set vpn ipsec ike-group IKE01 proposal 10 hash 'sha256' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec profile DMVPN-SPOKE10 authentication mode 'pre-shared-secret' set vpn ipsec profile DMVPN-SPOKE10 authentication pre-shared-secret 'SECRET' set vpn ipsec profile DMVPN-SPOKE10 bind tunnel 'tun10' set vpn ipsec profile DMVPN-SPOKE10 esp-group 'ESP01' set vpn ipsec profile DMVPN-SPOKE10 ike-group 'IKE01' set vpn ipsec profile DMVPN-SPOKE11 authentication mode 'pre-shared-secret' set vpn ipsec profile DMVPN-SPOKE11 authentication pre-shared-secret 'SECRET' set vpn ipsec profile DMVPN-SPOKE11 bind tunnel 'tun11' set vpn ipsec profile DMVPN-SPOKE11 esp-group 'ESP01' set vpn ipsec profile DMVPN-SPOKE11 ike-group 'IKE01'
And generated swanctl.conf:
# generated by /opt/vyatta/sbin/dmvpn-config.pl
connections {
dmvpn-DMVPN-SPOKE10-tun10 {
proposals = aes256-sha256-modp2048
version = 2
rekey_time = 28800s
keyingtries = 0
local {
auth = psk
}
remote {
auth = psk
}
children {
dmvpn {
esp_proposals = aes256-sha256-modp2048
rekey_time = 3600s
rand_time = 540s
local_ts = dynamic[gre]
remote_ts = dynamic[gre]
mode = tunnel
}
}
}
}
secrets {
ike-dmvpn-tun10 {
secret = SECRET
}
}
dmvpn-DMVPN-SPOKE11-tun11 {
proposals = aes256-sha256-modp2048
version = 2
rekey_time = 28800s
keyingtries = 0
local {
auth = psk
}
remote {
auth = psk
}
children {
dmvpn {
esp_proposals = aes256-sha256-modp2048
rekey_time = 3600s
rand_time = 540s
local_ts = dynamic[gre]
remote_ts = dynamic[gre]
mode = tunnel
}
}
}
}
secrets {
ike-dmvpn-tun11 {
secret = SECRET
}
}One connections { header is missed and these file is not loaded by strongSwan:
/etc/swanctl/swanctl.conf:54: syntax error, unexpected '}', expecting $end or NAME or NEWLINE [}] invalid config file '/etc/swanctl/swanctl.conf' no authorities found, 0 unloaded no pools found, 0 unloaded no connections found, 0 unloaded