[strongSwan] Multiple connections - parameters from first conn are used?

[Mark M]

Tobias,

This is bad news. I am trying to setup my strongSwan gateway to have multiple connections. Some connections will be for site-to-site configs and others will be for my mobile roadwarrior clients. Also, each config will have different ike and esp parameters because for my site-to-site config I use ecc/suite b crypto while the mobile clients cannot support that so the parameters for those connections need to be different.

Are there any tips or tricks I could use?



------------------------------
On Sun, Sep 23, 2012 2:11 AM EDT Tobias Brunner wrote:

>Hi Mark,
>
>> Sometimes when a connection comes up and it is the
>> second connection in the ipsec.conf file, strongSwan tries to use
>> parameters from the first connection listed. For example if i define
>> the ike and esp algorithms in the second connection listed, it would
>> always use the ike and esp parameters listed in my first connection.
>
>The problem is that when a client connects the gateway has basically
>just the IP addresses available to find a matching config.  So if you
>have more than one connection with right=%any, the ike parameters of the
>first one will be used.  Later, the connection could be switched to an
>other config based on the IKE identities (left|rightid) so esp
>parameters could vary between such connections.
>
>> Also i think when it tries to match a config to a certificate id, if each
>> connection has similar parameters, it will use the first connection
>> it finds going from top-to-bottom. Is this normal behavior?
>
>Yes, the daemon checks each config from top-to-bottom and applies a
>score as to how good a match the config is based on the IP addresses and
>identities.  If no better match is found the first config will be used.
>
>Regards,
>Tobias