On Tue, 2 Apr 2019, Messa, Michael - 0664 - MITLL wrote:
I am attempting to configure a client to connect with a server in tunnel mode where the client does not know the ID of the server prior to initiating the key exchange, and the authentication uses a pre-shared key (PSK).
That is a very strange scenario.
The server is required to identify itself for authentication using a fixed, verbatim identification string.
If that is a fixed string, why can't that the the peer ID known to the client?
The client’s sole existence is to connect to only this one server.
The term "only this one server" is based on the PSK without ID? That is a strange concept of authentication of identity.
Using StrongSwan I’ve been able to configure a client with a “rightid=%any”, which effectively allows me to wildcard the IDr in the IKE. Does LibreSwan offer such a flexibility? If so, what is the appropriate configuration. I’ve tried “rightid=%any” despite no documentation saying it was supported. The result was that rightid defaulted to right (as described in the documentation) and the IKE fails with an error like:
We currently do not support this. It would be possible to add, but I would really need to understand the use case first because I still cannot imagine a scenarion where the constrains you mention are a valid set of constrains for deployment. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
