[strongSwan] Resolve domain for left/rightid?

David McCullough ucdevel at gmail.com
Wed Jun 24 14:57:27 CEST 2015


Hi all,

I have a patch (attached) that I have been meaning to post here
for comment.  This thread prompted me to send it on.

It allows the left/rightid to use DNS names when combined with the
ipv4:/ipv6: ID types to for the ID type.

The patch could be more comprehensive but it solves the basic use
case I needed.

Any comments or suggestions welcome,

Cheers,
Davidm




Glen Huang wrote the following:
> OK. Thanks a lot.
> 
> > On Jun 24, 2015, at 12:27 AM, Tobias Brunner <tobias at strongswan.org> wrote:
> > 
> > Hi Glen,
> > 
> >> The doc seems to indicate that before 5.0.0, rightid=example.com
> >> will resolve the domain to an IP address. How to
> >> get this behavior after 5.0.0.?
> > 
> > 5.x won't resolve any hostnames in identities.  If you want to use IPs
> > just configure the IPs, if they are dynamic use something else as
> > identities.
> > 
> >> Also I guess the ID selector in ipsec.secrets is unrelated to
> >> left/rightid?
> > 
> > The ID selector is a list of identities, so those are matched against
> > the values in left|rightid (or xauth|eap_identity).  However, for IKEv1
> > there is a lookup based on the IP addresses first and only when using
> > Aggressive Mode will a responder be able to use identities to find secrets.
> > 
> >> But is it possible to specify a domain in id selector but
> >> actually use its resolve IP as the used value?
> > 
> > No.
> > 
> > Regards,
> > Tobias
> > 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-- 
David McCullough,  ucdevel at gmail.com,   Ph: 0410 560 763
-------------- next part --------------
A non-text attachment was scrubbed...
Name: strongswan-5.2.2-id-ipvX-dns.patch
Type: text/x-diff
Size: 2126 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150624/805a0c8a/attachment.patch>


More information about the Users mailing list