[strongSwan] Sending INIT_CONTACT during "ipsec up .... "
Marko Burazin
morkitz at gmail.com
Tue Nov 15 09:18:28 CET 2016
Hi Tobias,
Couldn't the peer identity be stored locally in the client after receiving
the certificate from the peer in IKE_AUTH response, even if the parameter
rightid=%any ?
Sorry for asking possibly annoying questions, but I would like to
understand more on whether it's possible to use INIT_CONTACT anyway... Is
there any reason to prevent that kind of implementation?
Thanks again.
Regards,
Marko.
On Mon, Nov 14, 2016 at 3:43 PM Tobias Brunner <tobias at strongswan.org>
wrote:
> Hi Marko,
>
> > Shouldn't the same apply when you use wildcards then ? Because in this
> > case also is not determined on what the exact peer identity is, but
> > still the INIT_CONTACT is being sent...?
>
> The code currently just checks if there is an IDr before checking for
> existing connections. With rightid=%any there is none, with wildcards
> there is. However, such an identity will never match an existing SA as
> that identity will not equal an actual remote identity, resulting in
> sending an INITIAL_CONTACT even if there might already be an IKE_SA with
> a specific peer. So yes, I guess checking for connections and sending
> an INITIAL_CONTACT doesn't make much sense if rightid contains any
> wildcards [1].
>
> Regards,
> Tobias
>
> [1]
>
> https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/initial-contact-wildcards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161115/b3721fd1/attachment-0001.html>
More information about the Users
mailing list