Strict flag with different algorithms in multiple connection configurations

Martin Willi martin at strongswan.org
Mon May 2 12:17:10 CEST 2011


> Is it only possible to have one global (even if defined inside a
> connection) single ike/esp definition using strict flag in ipsec.conf?

It's actually not a global definition, but the configuration selection
fails with your setup. When selecting a configuration as a responder,
only the IP addresses are used. As all your configurations match for the
specified IPs, the first one is chosen, where proposal selection does
not find a match.

We could include the received proposal set into the selection algorithm,
but it requires some work. The only workaround I see is to define right
(or left) addresses to select the correct configuration, but this of
course does not work if europa/uranus have dynamic addresses.


