On Mon, 8 Apr 2019, Nick Howitt wrote:
I may have missed something, but what happens if you do right=%any? At that point the rightid becomes irrelevant , doesn't it? Nick
It will then default to ID_IP, and so if you are coming from behind NAT, you will present the "wrong" ID. Most right=%any are limited by the authby= method. When using authby=secret, we do ignore the ID_IP just because too many clients behind NAT send such a non-sense ID. When using authby=rsasig, like when using certificates, the ID is still checked to be a valid SAN entry on the certificate. The ID is also often used to detect a reconnect from the same client versus a connect from a different other client, so we can more quickly purge old replaced client connections. So while there might not be a security purpose when used with a single PSK client, it still serves other purposes. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
