[strongSwan] Sending INIT_CONTACT during "ipsec up .... "
morkitz at gmail.com
Tue Nov 15 09:18:28 CET 2016
Couldn't the peer identity be stored locally in the client after receiving
the certificate from the peer in IKE_AUTH response, even if the parameter
Sorry for asking possibly annoying questions, but I would like to
understand more on whether it's possible to use INIT_CONTACT anyway... Is
there any reason to prevent that kind of implementation?
On Mon, Nov 14, 2016 at 3:43 PM Tobias Brunner <tobias at strongswan.org>
> Hi Marko,
> > Shouldn't the same apply when you use wildcards then ? Because in this
> > case also is not determined on what the exact peer identity is, but
> > still the INIT_CONTACT is being sent...?
> The code currently just checks if there is an IDr before checking for
> existing connections. With rightid=%any there is none, with wildcards
> there is. However, such an identity will never match an existing SA as
> that identity will not equal an actual remote identity, resulting in
> sending an INITIAL_CONTACT even if there might already be an IKE_SA with
> a specific peer. So yes, I guess checking for connections and sending
> an INITIAL_CONTACT doesn't make much sense if rightid contains any
> wildcards .
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users