[strongSwan-dev] [strongSwan] Multiple proposals with different authentication types
martin at strongswan.org
Mon Jun 29 08:53:38 CEST 2015
> [...] when the cisco initiates a connection with both the
> transforms, the RSA-SIG being first in the list, strongswan replies back
> with a proposal that contains RSA-SIG, because it is the first in the list,
> even though the connection is defined as PSK.
> Is this a bug and is there a way to fix this?
It is a limitation in the IKEv1 proposal handling in charon. strongSwan
5.x does not honor different authentication methods in IKEv1 proposals,
but uses the first one only.
If you look at sa_payload.h, you can see that get_auth_method() returns
a single method only. To support multiple auth methods, we'd have to
return all of them (for example using a bit-set), and use these methods
in main/aggressive_mode.c to select the appropriate config.
More information about the Dev