[strongSwan] choice of ID selectors in ipsec.secrets IKEv2

Kumar, Shekhar 1. (NSN - IN/Bangalore) shekhar.1.kumar at nsn.com
Wed Oct 1 17:44:09 CEST 2014

Hi Martin ,

Thanks for your reply. This is clearer now ,except for the case of "Best Match" preference  in responder mode.

While validating the incoming auth message if the verification using the best match (where, both Ids Match)fails, Would all other matching secrets  be tried ? 


-----Original Message-----
From: ext Martin Willi [mailto:martin at strongswan.org] 
Sent: Wednesday, October 01, 2014 1:32 PM
To: Kumar, Shekhar 1. (NSN - IN/Bangalore)
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] choice of ID selectors in ipsec.secrets IKEv2

> The text from strongswan wiki (last parageaph) suggest that in case of 
> PSK -- " an entry with multiple selectors will match a host and peer 
> if the host ID and peer ID each match one of the selectors."  But in 
> IKEv2, if either of host_id or my_id match the list of selectors 
> provided in ipsec.secrets entry, the key is tried for authentication 
> of the message.

While this is probably true for the IKEv1 pluto daemon the text originally was written for, this is not absolutely correct anymore for charon.

In strongSwan 5.x, a shared secret has a list of associated "owners".
When looking up the secret, the local and remote peer identities are used. It is not required that both identities are listed as "owners", one is sufficient to produce a match. That allows you to specify a secret for multiple peer identities. If both identities match an "owner", the match is better, making the secret preferred over others.


More information about the Users mailing list