On Fri, 5 Apr 2019, Messa, Michael - 0664 - MITLL wrote:
"I still cannot imagine a scenario where the constraints you mention are a valid set of constraints for deployment." I concur. The counter argument I've received is that the PSK alone is sufficient to anchor the trust between the client and the server and that the IDr in this case is not consequential.
That might be true, if the PSK is unique and not shared, and the scenario only works when you have one of these, because if you have two of these, then you would end up having to select one PSK and if the AUTH fails, retry with the other PSK. So again, that makes supporting this a really odd corner case. the obvious solution would be to agree on the ID and configure it. Or if the other party refuses that, to just see what ID they send and stupidly configure it on your end as the peer ID. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
