[strongSwan] choice of ID selectors in ipsec.secrets IKEv2
Martin Willi
martin at strongswan.org
Wed Oct 1 10:02:14 CEST 2014
> The text from strongswan wiki (last parageaph) suggest that in case of
> PSK -- " an entry with multiple selectors will match a host and peer if
> the host ID and peer ID each match one of the selectors." But in
> IKEv2, if either of host_id or my_id match the list of selectors
> provided in ipsec.secrets entry, the key is tried for authentication
> of the message.
While this is probably true for the IKEv1 pluto daemon the text
originally was written for, this is not absolutely correct anymore for
charon.
In strongSwan 5.x, a shared secret has a list of associated "owners".
When looking up the secret, the local and remote peer identities are
used. It is not required that both identities are listed as "owners",
one is sufficient to produce a match. That allows you to specify a
secret for multiple peer identities. If both identities match an
"owner", the match is better, making the secret preferred over others.
Regards
Martin
More information about the Users
mailing list