[strongSwan] Sending INIT_CONTACT during "ipsec up .... "

Marko Burazin morkitz at gmail.com
Mon Nov 14 15:10:33 CET 2016

Hi Tobias,

Thanks for the answer.

I thought that somehow the peer identity is stored internally in the client
after the peer responds...
Considering what you said, why then if I use a rightid parameter like this:

rightid="C=*, ST=*, O=*, OU=*, CN=*"

using wildcards does indeed result in sending the INIT_CONTACT in the
IKE_AUTH request...

Shouldn't the same apply when you use wildcards then ? Because in this case
also is not determined on what the exact peer identity is, but still the
INIT_CONTACT is being sent...?


On Mon, Nov 14, 2016 at 11:40 AM Tobias Brunner <tobias at strongswan.org>

> Hi Marko,
> > What is the reason for this ? Is it the expected behaviour ?
> Yes, how could the client know that this is the first IKE_SA with the
> peer if it doesn't know the peer's identity (rightid=%any)?
> Regards,
> Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161114/2bba9033/attachment.html>

More information about the Users mailing list