[strongSwan] Multiple Peers/Proposals Connection Failure
Thomas Egerer
hakke_007 at gmx.de
Tue Nov 24 22:48:56 CET 2015
Hello Andreas,
On 11/24/2015 10:22 AM, Andreas Steffen wrote:
> Hi,
>
> this is a general problem with roadwarrior connection templates
> where the two IKE_SAs are not bound to a remote IP address
> but to two different IKE IDs. Since the IDi is transmitted
> in the encrypted IKE_SA request message the IKE_SA cipher
> suite must be chosen before the identity becomes known.
>
> strongSwan does not try find a match for a common cipher suite
> but just chooses the first connection where remote_addrs = %any.
Just out of curiosity: wouldn't it be possible to add all possible IKE
configs (i.e. with the same priority value) to a list of candidates, to
resume the negotiation and later select the one matching the proposals
best? Of course during IKE_AUTH when the constraints are checked the
setup of the SA may still fail due to an ID mismatch. This would solve
Cem's without concatenating the proposals, or is there anything which
arguments against this idea?
> [...]
Cheers,
Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151124/afa2fb61/attachment.pgp>
More information about the Users
mailing list