[strongSwan] Multiple connections - parameters from first conn are used?

Tobias Brunner tobias at strongswan.org
Sun Sep 23 08:11:47 CEST 2012


Hi Mark,

> Sometimes when a connection comes up and it is the
> second connection in the ipsec.conf file, strongSwan tries to use
> parameters from the first connection listed. For example if i define
> the ike and esp algorithms in the second connection listed, it would
> always use the ike and esp parameters listed in my first connection.

The problem is that when a client connects the gateway has basically
just the IP addresses available to find a matching config.  So if you
have more than one connection with right=%any, the ike parameters of the
first one will be used.  Later, the connection could be switched to an
other config based on the IKE identities (left|rightid) so esp
parameters could vary between such connections.

> Also i think when it tries to match a config to a certificate id, if each
> connection has similar parameters, it will use the first connection
> it finds going from top-to-bottom. Is this normal behavior?

Yes, the daemon checks each config from top-to-bottom and applies a
score as to how good a match the config is based on the IP addresses and
identities.  If no better match is found the first config will be used.

Regards,
Tobias




More information about the Users mailing list