From acc3fe4c95ddc5a433c83a12f8887c8e428ada0a Mon Sep 17 00:00:00 2001
From: Micah R Ledbetter <me@micahrl.com>
Date: Sun, 11 Feb 2018 22:59:29 -0600
Subject: [PATCH] Require only one connection per user

Fix an issue where strongswan clients required a separate "conn" section
by modifying the client strongswan config to send the client name as
leftid.
---
 roles/vpn/templates/client_ipsec.conf.j2 |  1 +
 roles/vpn/templates/ipsec.conf.j2        | 33 ++++++------------------
 2 files changed, 9 insertions(+), 25 deletions(-)

diff --git a/roles/vpn/templates/client_ipsec.conf.j2 b/roles/vpn/templates/client_ipsec.conf.j2
index 7fde04ab..499638b4 100644
--- a/roles/vpn/templates/client_ipsec.conf.j2
+++ b/roles/vpn/templates/client_ipsec.conf.j2
@@ -21,6 +21,7 @@ conn ikev2-{{ IP_subject_alt_name }}
 
     leftsourceip=%config
     leftauth=pubkey
+    leftid={{ item }}
     leftcert={{ item }}.crt
     leftfirewall=yes
     left=%defaultroute
diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2
index 20f79faa..3b1a17c0 100644
--- a/roles/vpn/templates/ipsec.conf.j2
+++ b/roles/vpn/templates/ipsec.conf.j2
@@ -25,36 +25,19 @@ conn %default
     leftsendcert=always
     leftsubnet=0.0.0.0/0,::/0
 
-# Client configs
-# example: https://www.strongswan.org/testing/testresults/ikev2/config-payload/, especially moon.ipsec.conf
-# NOTE: we specify each client config twice, identically except for the rightid parameter
-#       because some clients (e.g. strongswan) send the rightid as "/CN=$user"
-#       while others (e.g. macOS) send the rightid as "$user"
+    right=%any
+    rightauth=pubkey
+{% if local_dns is defined and local_dns == "Y" %}
+    rightdns={{ local_service_ip }}
+{% else %}
+    rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support is defined and ipv6_support == "yes" %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
+{% endif %}
 
 {% for user in users %}
 
 conn AlgoUser-{{ user }}
-    right=%any
     rightid={{ user }}
-    rightauth=pubkey
     rightsourceip={{ vpn_network | ipaddr(loop.index) | ipaddr('address') }}
-{% if local_dns is defined and local_dns == "Y" %}
-    rightdns={{ local_service_ip }}
-{% else %}
-    rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support is defined and ipv6_support == "yes" %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
-{% endif %}
     auto=add
 
-conn AlgoUser-CN{{ user }}
-    right=%any
-    rightid="/CN={{ user }}"
-    rightauth=pubkey
-    rightsourceip={{ vpn_network | ipaddr(loop.index) | ipaddr('address') }}
-{% if local_dns is defined and local_dns == "Y" %}
-    rightdns={{ local_service_ip }}
-{% else %}
-    rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support is defined and ipv6_support == "yes" %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
-{% endif %}
-    auto=add
-
-{% endfor %}
\ No newline at end of file
+{% endfor %}