[strongSwan] peer config match

Tobias Brunner tobias at strongswan.org
Mon Jan 21 11:42:01 CET 2019


> The log lines for the match show
> candidate "site2site", match: 1/20/1048 (me/other/ike)  
> candidate "rw", match: 1/1/1052 (me/other/ike)  
> .Candidate "rw" has higher ike match (1052) resulting in "rw" being chosen.

Yes, that's how it currently works.  The IKE match (which also includes
IP address matches) is currently given precedence over the remote
identity match.  And an exactly matching IKE version gives the IKE match
a boost of 4.  To change that you'll have to modify backend_manager.c,
either remove the boost in get_ike_match() or change insert_sorted() to
change the precedence.


More information about the Users mailing list