[strongSwan] Wilcard matching in ipsec.conf rightid param

Graham Hudspith graham.hudspith at gmail.com
Mon Mar 21 12:21:22 CET 2011 

Dear All,


I wonder if anyone can help me with a strongSwan config issue ?

I'm trying to configure a SeGW running strongSwan (v4.5.1) to accept
incoming tunnel attempts and assign them to different virtual address pools.

I thought the easiest way to do this was to create different config entries
with different address pools specified by the rightsourceip param.

Unfortunately, I can't get the wildcarding to work as I would like, meaning
that I have to have ONE config entry for each client when I would actually
like to reduce these down to the bare minimum using wildcarding.

So, as an example, I have three clients coming in using IDi's of
310751001 at foo.abc751.def310.bar.org, 235003002 at foo.abc003.def235.bar.org and
235010003 at foo.abc010.def235.bar.org

I would like the first of these to have it's own ipsec.conf entry:

conn foo-abc751-def310
    ...
    rightid=*@foo.abc751.def310.bar.org
    rightsourceip=10.17.0.0/24
    ...

and I was hoping to cover the other two with a combined ipsec.conf entry:

conn foo-def235
    ...
    rightid=*@foo.abc*.def235.bar.org
    rightsourceip=10.17.1.0/24
    ...

However, this does not work. When either of these two try to come in, charon
logs that no peer config was found and rejects the tunnel. Instead, I have
to split them up:

conn foo-abc003-def235
    ...
    rightid=*@foo.abc003.def235.bar.org
    rightsourceip=10.17.1.0/24
    ...

conn foo-abc010-def235
    ...
    rightid=*@foo.abc010.def235.bar.org
    rightsourceip=10.17.2.0/24
    ...

I could probably get away with specifying the same address pool in both of
these cases (i.e. 10.17.1.0/24), but I would REALLY like to combine the two
entries.

This also applies to ipsec.secrets, where I want to specify a combined
secret entry:

    *@foo.abc*.def235.bar.org : THE secret

rather than split the entries up:

    *@foo.abc003.def235.bar.org : THE secret
    *@foo.abc010.def235.bar.org : THE secret

Using *@foo.abc???.def235.bar.org would also be perfectly acceptable, but
I've seen no mention of this in the documentation or code.

Does this make sense ? Sound reasonable ?

Or I trying to do things in completely the wrong way (and someone can
suggest a much better way) ?

Graham.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110321/1b821a9c/attachment.html>

More information about the Users mailing list