<div dir="ltr">Hi Tobias,<div><br></div><div>Couldn't the peer identity be stored locally in the client after receiving the certificate from the peer in IKE_AUTH response, even if the parameter rightid=%any ?</div><div><br></div><div>Sorry for asking possibly annoying questions, but I would like to understand more on whether it's possible to use INIT_CONTACT anyway... Is there any reason to prevent that kind of implementation?</div><div><br></div><div>Thanks again.</div><div><br></div><div>Regards,</div><div>Marko.</div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Nov 14, 2016 at 3:43 PM Tobias Brunner <<a href="mailto:tobias@strongswan.org">tobias@strongswan.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Marko,<br class="gmail_msg">
<br class="gmail_msg">
> Shouldn't the same apply when you use wildcards then ? Because in this<br class="gmail_msg">
> case also is not determined on what the exact peer identity is, but<br class="gmail_msg">
> still the INIT_CONTACT is being sent...?<br class="gmail_msg">
<br class="gmail_msg">
The code currently just checks if there is an IDr before checking for<br class="gmail_msg">
existing connections. With rightid=%any there is none, with wildcards<br class="gmail_msg">
there is. However, such an identity will never match an existing SA as<br class="gmail_msg">
that identity will not equal an actual remote identity, resulting in<br class="gmail_msg">
sending an INITIAL_CONTACT even if there might already be an IKE_SA with<br class="gmail_msg">
a specific peer. So yes, I guess checking for connections and sending<br class="gmail_msg">
an INITIAL_CONTACT doesn't make much sense if rightid contains any<br class="gmail_msg">
wildcards [1].<br class="gmail_msg">
<br class="gmail_msg">
Regards,<br class="gmail_msg">
Tobias<br class="gmail_msg">
<br class="gmail_msg">
[1]<br class="gmail_msg">
<a href="https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/initial-contact-wildcards" rel="noreferrer" class="gmail_msg" target="_blank">https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/initial-contact-wildcards</a><br class="gmail_msg">
</blockquote></div>