[strongSwan] Wilcard matching in ipsec.conf rightid param
graham.hudspith at gmail.com
Mon Mar 21 12:21:22 CET 2011
I wonder if anyone can help me with a strongSwan config issue ?
I'm trying to configure a SeGW running strongSwan (v4.5.1) to accept
incoming tunnel attempts and assign them to different virtual address pools.
I thought the easiest way to do this was to create different config entries
with different address pools specified by the rightsourceip param.
Unfortunately, I can't get the wildcarding to work as I would like, meaning
that I have to have ONE config entry for each client when I would actually
like to reduce these down to the bare minimum using wildcarding.
So, as an example, I have three clients coming in using IDi's of
310751001 at foo.abc751.def310.bar.org, 235003002 at foo.abc003.def235.bar.org and
235010003 at foo.abc010.def235.bar.org
I would like the first of these to have it's own ipsec.conf entry:
and I was hoping to cover the other two with a combined ipsec.conf entry:
However, this does not work. When either of these two try to come in, charon
logs that no peer config was found and rejects the tunnel. Instead, I have
to split them up:
I could probably get away with specifying the same address pool in both of
these cases (i.e. 10.17.1.0/24), but I would REALLY like to combine the two
This also applies to ipsec.secrets, where I want to specify a combined
*@foo.abc*.def235.bar.org : THE secret
rather than split the entries up:
*@foo.abc003.def235.bar.org : THE secret
*@foo.abc010.def235.bar.org : THE secret
Using *@foo.abc???.def235.bar.org would also be perfectly acceptable, but
I've seen no mention of this in the documentation or code.
Does this make sense ? Sound reasonable ?
Or I trying to do things in completely the wrong way (and someone can
suggest a much better way) ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users