[strongSwan] Sending INIT_CONTACT during "ipsec up .... "

Tobias Brunner tobias at strongswan.org
Mon Nov 14 15:43:13 CET 2016

Hi Marko,

> Shouldn't the same apply when you use wildcards then ? Because in this
> case also is not determined on what the exact peer identity is, but
> still the INIT_CONTACT is being sent...?

The code currently just checks if there is an IDr before checking for
existing connections.  With rightid=%any there is none, with wildcards
there is.  However, such an identity will never match an existing SA as
that identity will not equal an actual remote identity, resulting in
sending an INITIAL_CONTACT even if there might already be an IKE_SA with
a specific peer.  So yes, I guess checking for connections and sending
an INITIAL_CONTACT doesn't make much sense if rightid contains any
wildcards [1].



More information about the Users mailing list