[strongSwan] Multiple connections - parameters from first conn are used?

Tobias Brunner tobias at strongswan.org
Sun Sep 23 08:11:47 CEST 2012

Hi Mark,

> Sometimes when a connection comes up and it is the
> second connection in the ipsec.conf file, strongSwan tries to use
> parameters from the first connection listed. For example if i define
> the ike and esp algorithms in the second connection listed, it would
> always use the ike and esp parameters listed in my first connection.

The problem is that when a client connects the gateway has basically
just the IP addresses available to find a matching config.  So if you
have more than one connection with right=%any, the ike parameters of the
first one will be used.  Later, the connection could be switched to an
other config based on the IKE identities (left|rightid) so esp
parameters could vary between such connections.

> Also i think when it tries to match a config to a certificate id, if each
> connection has similar parameters, it will use the first connection
> it finds going from top-to-bottom. Is this normal behavior?

Yes, the daemon checks each config from top-to-bottom and applies a
score as to how good a match the config is based on the IP addresses and
identities.  If no better match is found the first config will be used.


More information about the Users mailing list