[strongSwan-dev] Multiple proposals with different authentication types

[SM K]

Hi,

It seems that strongswan does not consider the authentication type in the
configuration when selecting proposals. I have a cisco device which is
configured with two transform proposals, one for rsa-sig and and one for
PSK. Strongswan is configured with a connection definition that uses PSK
only. However when the cisco initiates a connection with both the
transforms, the RSA-SIG being first  in the list, strongswan replies back
with a proposal that contains RSA-SIG, because it is the first in the list,
even though the connection is defined as PSK. Now, in my case, the
connection setup fails when the cisco tries to authenticate with certs,
because proper certs have not been setup between the device and strongswan.
However, if strongswan had replied with authentication=PSK, this connection
would have succeeded. The cisco has a transform with rsa-sig for
authentication in order to talk to another peer, i sadly cannot change the
cisco config.

This used to work properly with pluto (strongswan 4.6).

Is this a bug and is there a way to fix this?

regards,
sk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150626/db0e6946/attachment.html>