[strongSwan-dev] IKE_AUTH with IDi and IDr

Martin Willi martin at strongswan.org
Thu Sep 4 10:20:28 CEST 2014


> In the current implementation, what strongswan configuration parameter
> corresponds to what gets placed into the IDr?  

As discussed, the IDr proposed as initiator is solely based on the
rightid (or the subject of a rightcert) parameter.

> I suppose it's different from the right_id because the right_id is
> usually a URL ending with a ".org", while the APN is a plain text
> string name.

It's not an URL, it is an IKE identity. An IKE identity has a type and
associated binary data. The binary data is type specific. The different
types of identities known by IKE are defined at RFC 5996 3.5. Most
common types are FQDN, E-Mail or ASN1 Distinguished names.

There is no "plain text" type of identity. To encode an APN, you'll have
to choose one of the existing types; FQDN is probably just fine. Your
spec definitely should say what is to use here.

When configuring rightid in ipsec.conf, strongSwan determines the type
of the identity automatically. When configuring an APN, it is probably
handled as FQDN.


More information about the Dev mailing list