[strongSwan] Problem using asymmetric keys against Cisco IOS

Tobias Brunner tobias at strongswan.org
Thu Dec 10 10:11:44 CET 2020


Hi John,

> I want strongswan to see a key ID of CORS89.
>
> How do I do that?

Reading the linked document thoroughly might have helped.  But after
seeing you struggling, I changed the documentation a bit so hopefully
it's clearer now.

> conn Test                                                                                    
>         leftid=@#:CORS89 

Why the :?  And as documented, # is used for comments, so quoting is
necessary.

> conn Test                                                                                    
>         leftid="@#:CORS89" 

Quotes!  But again the :?  And as documented, @# expects a hex-encoded
value.

> conn Test                                                                                    
>         leftid="#:CORS89"  

No idea where you got that syntax from.

> conn Test                                                                                    
>         leftid="=CORS89"  

This results in KEY_ID because, again as documented, = triggers parsing
of a DN and since that fails, a fallback to KEY_ID (but the value
includes the =).

> conn Test                                                                                    
>         leftid="CORS89" 

That's what you originally had and that defaults to FQDN.

So to answer your initial question:

  leftid=keyid:CORS89

Regards,
Tobias


More information about the Users mailing list