[strongSwan] routing based on rightid

Martin Willi martin at strongswan.org
Mon Oct 28 10:10:06 CET 2013

> Selecting test-oti.dom.ch failed due to strongswan always using peer
> 'dev' (the first one) and the eap_identity missmatching. Looks like
> the peer config is selected before the eap-tls comes into play. Am I
> missing something here?

Yes, the peer config is selected before EAP-TLS starts, as the daemon
has to know, among other things, what EAP method to initiate.

However, strongSwan knows a concept of "late configuration switching";
it allows to switch to a different (compatible) connection after
authentication when it sees that the current selection is unacceptable.

Unfortunately, the eap_identity option is not something you can use to
do connection selection; as the manpage says, a non-%identity value does
not do any matching based on the EAP-Identity, but it omits the
EAP-Identity exchange and just uses the configured value as

Further, any other selection mechanism (rightcert, rightcertpolicy etc.)
wouldn't work either, as the information from the EAP exchange is not
passed along to IKE configuration selection. Certainly something we
could improve, but currently this is not done.

So it seems that using EAP-TLS would help in selecting the certificate
on the client, but does not allow you anymore to do connection matching
as needed. I think both connection matching based on EAP-Identity and
other EAP specific authentication details would be of great value. I'll
see if we can get this done, but I probably won't find the time in the
next few weeks.


More information about the Users mailing list