[strongSwan] peer config match
sacho.polo at gmail.com
Sun Jan 20 01:03:29 CET 2019
I had a question about how peer configs are matched by Strongswan. I have
two connection definitions in my ipsec.conf, one for road-warriors and one
for site2site. They are roughly defined as shown at the end of thie email.
As can be seen the rw only accept ikev1, but any right-id. The site2site
accept any ike version, but specific right-id that matches the peer's cert
DN. What I see is that the perfect match of ike version is given preference
over the perfect match of ID when choosing connection. When a site connects
with IKEv1, and the proper cert, the "conn rw" is chosen, even though "conn
site2site" has a perfect match of the ID, and also matches the ike version
(since that connection definition can accept IKEv1/IKEv2). Shouldn't the
site2site connection definition be chosen because it has the perfect match
of the ID and accepts the ike version? We are using strongswan version
5.1.2 (+selective patches)
rightid="DN from the peer's cert"
The log lines for the match show
candidate "site2site", match: 1/20/1048 (me/other/ike)
candidate "rw", match: 1/1/1052 (me/other/ike)
.Candidate "rw" has higher ike match (1052) resulting in "rw" being chosen.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users