[strongSwan] peer config match
Tobias Brunner
tobias at strongswan.org
Mon Jan 21 11:42:01 CET 2019
Hi,
> The log lines for the match show
> candidate "site2site", match: 1/20/1048 (me/other/ike)
> candidate "rw", match: 1/1/1052 (me/other/ike)
>
> .Candidate "rw" has higher ike match (1052) resulting in "rw" being chosen.
Yes, that's how it currently works. The IKE match (which also includes
IP address matches) is currently given precedence over the remote
identity match. And an exactly matching IKE version gives the IKE match
a boost of 4. To change that you'll have to modify backend_manager.c,
either remove the boost in get_ike_match() or change insert_sorted() to
change the precedence.
Regards,
Tobias
More information about the Users
mailing list