Hi Andreas, I always think it is inconvenient to let users configure "leftid" and "rightid" with complete DN or AltSubjectName. If the current version of strongswan supports the automatic acquired of these two information even if certificate is configured as "never to be send"? if not supported, is there a plan for supporting this?
Best Regards, David -----邮件原件----- 发件人: users-boun...@lists.strongswan.org [mailto:users-boun...@lists.strongswan.org] 代表 weiping deng 发送时间: 2009年8月28日 10:24 收件人: 'Andreas Steffen' 抄送: users@lists.strongswan.org 主题: [strongSwan] 答复: unable to initiate to %any Hi Andreas, I got it. Thanks for your help. I have another question to ask: If the "leftid" and "rightid" can not be provided when I configure two peers? If I did not provided these information, it will adopt the subject id in the certificate. Is it right? Best Regards, David -----邮件原件----- 发件人: Andreas Steffen [mailto:andreas.stef...@strongswan.org] 发送时间: 2009年8月27日 18:58 收件人: weiping deng 抄送: 'Martin Willi'; users@lists.strongswan.org 主题: Re: [strongSwan] unable to initiate to %any Hi David, with right=%any you cannot actively initiate a connection as an initiator since the peer's IP address is not known. You can only act as a passive responder waiting for the other side to initiate. Regards Andreas weiping deng wrote: > Hi Martin, Hi all, > > When I try to find out the mechanism of virtual IP and initiate the > strongswan with the following configuration, but I always got the error > indication: "unable to initiate to %any". > > Please give me a clue to trace down this problem , thanks. > > > > Configuration of two peers: > > -------- [moon]----------------- > > config setup > > strictcrlpolicy=no > > plutostart=no > > keep_alive=40m > > conn %default > > ikelifetime=60m > > keylife=20m > > rekeymargin=3m > > keyingtries=1 > > keyexchange=ikev2 > > conn host-host > > left=172.19.2.13 > > leftfirewall=yes > > leftcert=/usr/local/etc/ipsec.d/certs/moonCert.pem > > leftsubnet=192.168.253.0/24 > > right=%any > > rightsourcip=%config > > auto=add > > ----------[sun]----------------------- > > config setup > > strictcrlpolicy=no > > plutostart=no > > keep_alive=40m > > conn %default > > ikelifetime=60m > > keylife=20m > > rekeymargin=3m > > keyingtries=1 > > keyexchange=ikev2 > > conn home > > left=172.19.2.88 > > leftsourceip=192.168.253.88 > > leftcert=/usr/local/etc/ipsec.d/certs/sunCert.pem > > leftfirewall=yes > > right=172.19.2.13 > > rightsubnet=192.168.253.0/24 > > auto=add > > --------------------------------------------- > > BTW, I still have the following two questions: > > 1) What's the mechanism of virtual ip? > > 2) If I can simulate one gateway by setting the secondary ip address of > linux pc? If it is feasible, and then how? > > > > Best Regards, > > David =================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
