On Sat, Feb 22, 2020 at 12:24:36PM +0100, Klemens Nanni wrote: > On Sat, Feb 22, 2020 at 10:19:27AM +0100, Tobias Heider wrote: > > This is not what dstid does. When setting 'dstid D.example.com' the policy > > still > > only applies if the peer sends 'D.example.com' as it's identity in the ID > > payload. > > Not setting dstid explicitly means iked will fall back to the value of > > "peer", > > which in your case would be the same: "D.example.com". > > > > Setting dstid is only necessary if you are using the IP address in the > > "peer" option but still want to use a FQDN as ID, which is really only the > > case with certificate authentication where the ID must match the > > subjectAltName. > I can double check yet again, but I'm pretty sure that setting dstid > was what made iked find the public key. So far, I have not used literal > IPs in my configuration - that I know for sure.
that was also my experience when working on faq17, srcid/dstid were used to lookup the cert/key in /etc/iked...
