[strongSwan] IKEv1 and identifiers
Tobias Brunner
tobias at strongswan.org
Fri Jun 30 09:17:38 CEST 2017
Hi Emeric,
> To sum up, for compatibility reason, as soon as there is something other than an IP address, we have to activate the "i_dont_care_about_security_and_use_aggressive_mode_psk" option?
The charon daemon, since 5.5.2, does a config lookup based on the IP
addresses and then searches for PSKs based on the configured identities,
only if that does not yield a secret will the PSK lookup be based on the
IPs, see [1]. So you could use identities other than IPs, at least if
the configs can be matched properly (e.g. based on the IPs or hostnames
there). Otherwise, you will have to use aggressive mode. But before
you do that you should rather switch to certificates or even IKEv2.
Regards,
Tobias
[1]
https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/sa/ikev1/phase1.c;h=adce59f7ed21b7dccd2b2fb7b39f0163b1e27135;hb=HEAD#l147
More information about the Users
mailing list