[strongSwan] Resolve domain for left/rightid?

Glen Huang curvedmark at gmail.com
Thu Jun 25 05:31:21 CEST 2015


Just a quick question: I wonder what's the correct way to specify ipsec.secrets for two sets of connections, each set use the same PSK but each connection in the set has different right domain.

Is it possible to define groups for connections and then select these groups in ipsec.secrets? I guess left/rightgroups is unrelated to this?

> On Jun 24, 2015, at 12:27 AM, Tobias Brunner <tobias at strongswan.org> wrote:
> 
> Hi Glen,
> 
>> The doc seems to indicate that before 5.0.0, rightid=example.com
>> will resolve the domain to an IP address. How to
>> get this behavior after 5.0.0.?
> 
> 5.x won't resolve any hostnames in identities.  If you want to use IPs
> just configure the IPs, if they are dynamic use something else as
> identities.
> 
>> Also I guess the ID selector in ipsec.secrets is unrelated to
>> left/rightid?
> 
> The ID selector is a list of identities, so those are matched against
> the values in left|rightid (or xauth|eap_identity).  However, for IKEv1
> there is a lookup based on the IP addresses first and only when using
> Aggressive Mode will a responder be able to use identities to find secrets.
> 
>> But is it possible to specify a domain in id selector but
>> actually use its resolve IP as the used value?
> 
> No.
> 
> Regards,
> Tobias
> 



More information about the Users mailing list