[strongSwan] IKEv1 and identifiers
Emeric POUPON
emeric.poupon at stormshield.eu
Mon Jul 3 13:31:57 CEST 2017
Hi,
Thanks for your answer!
Emeric
----- Original Message -----
From: "Tobias Brunner" <tobias at strongswan.org>
To: "Emeric POUPON" <emeric.poupon at stormshield.eu>, users at lists.strongswan.org
Sent: Friday, 30 June, 2017 09:17:38
Subject: Re: [strongSwan] IKEv1 and identifiers
Hi Emeric,
> To sum up, for compatibility reason, as soon as there is something other than an IP address, we have to activate the "i_dont_care_about_security_and_use_aggressive_mode_psk" option?
The charon daemon, since 5.5.2, does a config lookup based on the IP
addresses and then searches for PSKs based on the configured identities,
only if that does not yield a secret will the PSK lookup be based on the
IPs, see [1]. So you could use identities other than IPs, at least if
the configs can be matched properly (e.g. based on the IPs or hostnames
there). Otherwise, you will have to use aggressive mode. But before
you do that you should rather switch to certificates or even IKEv2.
Regards,
Tobias
[1]
https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/sa/ikev1/phase1.c;h=adce59f7ed21b7dccd2b2fb7b39f0163b1e27135;hb=HEAD#l147
More information about the Users
mailing list