[strongSwan] Sending INIT_CONTACT during "ipsec up .... "

Marko Burazin morkitz at gmail.com
Tue Nov 15 09:18:28 CET 2016

Hi Tobias,

Couldn't the peer identity be stored locally in the client after receiving
the certificate from the peer in IKE_AUTH response, even if the parameter
rightid=%any ?

Sorry for asking possibly annoying questions, but I would like to
understand more on whether it's possible to use INIT_CONTACT anyway... Is
there any reason to prevent that kind of implementation?

Thanks again.


On Mon, Nov 14, 2016 at 3:43 PM Tobias Brunner <tobias at strongswan.org>

> Hi Marko,
> > Shouldn't the same apply when you use wildcards then ? Because in this
> > case also is not determined on what the exact peer identity is, but
> > still the INIT_CONTACT is being sent...?
> The code currently just checks if there is an IDr before checking for
> existing connections.  With rightid=%any there is none, with wildcards
> there is.  However, such an identity will never match an existing SA as
> that identity will not equal an actual remote identity, resulting in
> sending an INITIAL_CONTACT even if there might already be an IKE_SA with
> a specific peer.  So yes, I guess checking for connections and sending
> an INITIAL_CONTACT doesn't make much sense if rightid contains any
> wildcards [1].
> Regards,
> Tobias
> [1]
> https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/initial-contact-wildcards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161115/b3721fd1/attachment-0001.html>

More information about the Users mailing list