[strongSwan] Resolve domain for left/rightid?

Tobias Brunner tobias at strongswan.org
Tue Jun 23 18:27:33 CEST 2015


Hi Glen,

> The doc seems to indicate that before 5.0.0, rightid=example.com
> will resolve the domain to an IP address. How to
> get this behavior after 5.0.0.?

5.x won't resolve any hostnames in identities.  If you want to use IPs
just configure the IPs, if they are dynamic use something else as
identities.

> Also I guess the ID selector in ipsec.secrets is unrelated to
> left/rightid?

The ID selector is a list of identities, so those are matched against
the values in left|rightid (or xauth|eap_identity).  However, for IKEv1
there is a lookup based on the IP addresses first and only when using
Aggressive Mode will a responder be able to use identities to find secrets.

> But is it possible to specify a domain in id selector but
> actually use its resolve IP as the used value?

No.

Regards,
Tobias



More information about the Users mailing list