[strongSwan] Small Problems with 5.2

Tobias Brunner tobias at strongswan.org
Wed Jul 16 18:02:24 CEST 2014

Hi Dirk,
>>>> Not sure why the behavior changed between 5.1.3 and 5.2.0 in this
>>>> regard; likely that it is related to the replaced ipsec.conf parser.
>>> It's probably the new parser.
>>> Checking the logs on the gateway running 5.1.3 I discovered that the
>>> rightsendcert = never wasn't honoured for any connection. Windows 7
>>> eap  clients received a cert request too. So your suggestion to
>>> remove this  option from our config should be no problem.
>> Intriguing.  Could you send me the complete config file that manifests
>> this difference in behavior?
> sure
> The normal ipsec.conf includes all *.conf files in the connections 
> directory.
> The files in this directory are named:
> 0_all_w7_eapmschap.conf which I attached as its holds the rightsendcert 
> = never.
> One file 98_partner1.conf.
> The rest are subnet related config files named 172.xx.xx-name.conf I 
> added one too.

Thanks a lot.  It's definitely caused by the new parser.  The difference
is the order in which included files are handled.  I wasn't fully aware
of this, but apparently the old parser stored the included files (as
returned by glob) on a stack and then parsed them beginning from the
top.  So the example files were read in this order:

  ipsec.conf before include
  ipsec.conf after include

Which is probably exactly the opposite of what you intended to achieve
with those number prefixes.  So with the old parser the win7eapmschap
config was the last one passed to charon, and thus never got used for
the early IKE phase where the left|rightsendcert option applies and the
IP addresses and IKE version are used to find a matching config.

The new parser handles included files in alphabetical order (i.e.
reversed in comparison), which means the win7eapmschap config is now the
first one passed to charon.


More information about the Users mailing list