[strongSwan] Multiple proposals with different authentication types

Martin Willi martin at strongswan.org
Mon Jun 29 08:53:38 CEST 2015


> [...] when the cisco initiates a connection with both the
> transforms, the RSA-SIG being first  in the list, strongswan replies back
> with a proposal that contains RSA-SIG, because it is the first in the list,
> even though the connection is defined as PSK.

> Is this a bug and is there a way to fix this?

It is a limitation in the IKEv1 proposal handling in charon. strongSwan
5.x does not honor different authentication methods in IKEv1 proposals,
but uses the first one only.

If you look at sa_payload.h, you can see that get_auth_method() returns
a single method only. To support multiple auth methods, we'd have to
return all of them (for example using a bit-set), and use these methods
in main/aggressive_mode.c to select the appropriate config.


More information about the Users mailing list