Hi, > [...] when the cisco initiates a connection with both the > transforms, the RSA-SIG being first in the list, strongswan replies back > with a proposal that contains RSA-SIG, because it is the first in the list, > even though the connection is defined as PSK.
> Is this a bug and is there a way to fix this? It is a limitation in the IKEv1 proposal handling in charon. strongSwan 5.x does not honor different authentication methods in IKEv1 proposals, but uses the first one only. If you look at sa_payload.h, you can see that get_auth_method() returns a single method only. To support multiple auth methods, we'd have to return all of them (for example using a bit-set), and use these methods in main/aggressive_mode.c to select the appropriate config. Regards Martin _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
