[strongSwan] peer config match

Sach K sacho.polo at gmail.com
Sun Jan 20 01:03:29 CET 2019


Hi,

I had a question about how peer configs are matched by Strongswan. I have
two connection definitions in my ipsec.conf, one for road-warriors and one
for site2site. They are roughly defined as shown at the end of thie email.
As can be seen the rw only accept ikev1, but any right-id. The site2site
accept any ike version, but specific right-id that matches the peer's cert
DN. What I see is that the perfect match of ike version is given preference
over the perfect match of ID when choosing connection. When a site connects
with IKEv1, and the proper cert, the "conn rw" is chosen, even though "conn
site2site" has a perfect match of the ID, and also matches the ike version
(since that connection definition can accept IKEv1/IKEv2). Shouldn't the
site2site connection definition be chosen because it has the perfect match
of the ID and accepts the ike version? We are using strongswan version
5.1.2 (+selective patches)

conn *rw*
          authby=rsasig
          *keyexchange=ikev1*
          rightid=%any

conn *site2site*
          authby=rsasig
          *keyexchange=ike*
          rightid="DN from the peer's cert"

The log lines for the match show
candidate "site2site", match: 1/20/1048 (me/other/ike)
candidate "rw", match: 1/1/1052 (me/other/ike)

.Candidate "rw" has higher ike match (1052) resulting in "rw" being chosen.

-sk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190119/899dec71/attachment.html>


More information about the Users mailing list