On 2007/02/22 19:38, jared r r spiegel wrote:
> On Fri, Feb 23, 2007 at 12:09:27AM +0000, Stuart Henderson wrote:
>
> > obviously having the same names, the first is overwritten by the second.
> >
> > Would I be totally going down the wrong route if I were to change
> > the hardcoded -default and default- section names in ipsecctl/ike.c
> > to something based on dstid?
>
> as long as it doesn't then try to use dstid's value
> for, say:
>
> C set [net.100]:Address=net.100 force
that's along the lines I was thinking.
> and then making sure it jived nicely if you actually wanted to do
> an IPaddr in some other potentially configured peer
I think that's not a problem;
if (r->peer) {
fprintf(fd, SET "[peer-%s]:Remote-ID=%s-ID force\n",
r->peer->name, r->peer->name);
fprintf(fd, SET "[%s-ID]:ID-type=%s force\n",
r->peer->name, ike_id_types[idtype]);
fprintf(fd, SET "[%s-ID]:Name=%s force\n",
r->peer->name,
r->auth->dstid);
} else {
fprintf(fd, SET
"[peer-default]:Remote-ID=default-ID force\n");
fprintf(fd, SET "[default-ID]:ID-type=%s force\n",
ike_id_types[idtype]);
fprintf(fd, SET "[default-ID]:Name=%s force\n",
r->auth->dstid);
}
the first half is used if you specify 'peer foo' (it is also used
if you specify 'ike esp from xx to foo' where foo is an ip address
not a subnet, in which case it is also taken as the peer address:
this is a sometimes-useful shortcut, I couldn't decide whether it
was intentional or not, but suffice to say 'attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC' does not
immediately lead you to this as being the problem :-)
