[strongSwan-dev] support for {left,right}allowany in charon?

Tobias Brunner tobias at strongswan.org
Fri May 25 11:04:11 CEST 2012

Hi Mirko,

> If I understand this correctly, a failed DNS query is treated the same
> as a peer address of %any in ipsec.conf.  In the latter case, retrying
> is not useful, but for a failed DNS query, it were.

The problem is that there are certainly situations where you don't want
charon to retry e.g. if the name is actually wrong, for instance, due to
a typo in one of the GUIs (NetworkManager, Android etc.).

Maybe a new option like retrydns or something could be added, either
globally in strongswan.conf or even connection specific in ipsec.conf.

> Would it be an option to proceed in spite of the missing peer IP
> address, and do the name resolution later, so it can be retried?

Perhaps we could continue (if above option were set) and just hold off
actually sending the packet while the remote address is %any.  Then
regular retransmits would happen (we'd do a DNS lookup before each) and
keyingtries would apply too.

@Martin, any input on this idea?


