[strongSwan] Phase 2: our client ID returned doesn't match my proposal betweetn two StrongSwans

Jakob Curdes jc at info-systems.de
Wed Oct 8 20:58:59 CEST 2014


Am 08.10.2014 13:38, schrieb Andreas Steffen:
> Hi Jakob,
>
> In IKEv1 terminology the client IDs are traffic selectors
> (a single host or an IPv4 or IPv6 subnet) which define which
> local and remote subnets behind the gateways are to be connected
> with each other over the tunnel. With IKEv2 these proposals must match
> exactly. In your case it seems that the two IPsec endpoints propose
> differing subnet defininitions.
>
In a way this was the point. I used the same notation on both sides:

rightsubnet=192.168.4.0/255.255.255.0

but the newer strongswan will only understand CIDR masks correctly:

rightsubnet=192.168.4.0/24

In the other case, it offers 192.168.4.0/32 which does not match the 
other side.
But this is hard to see as both notations describe the same network....
Anyway, it works now, thank you very much for the hint!

Regards,
Jakob Curdes



More information about the Users mailing list