On Sat, Feb 22, 2020 at 12:41:12PM +0100, Landry Breuil wrote: > On Sat, Feb 22, 2020 at 12:24:36PM +0100, Klemens Nanni wrote: > > On Sat, Feb 22, 2020 at 10:19:27AM +0100, Tobias Heider wrote: > > > This is not what dstid does. When setting 'dstid D.example.com' the > > > policy still > > > only applies if the peer sends 'D.example.com' as it's identity in the ID > > > payload. > > > Not setting dstid explicitly means iked will fall back to the value of > > > "peer", > > > which in your case would be the same: "D.example.com". > > > > > > Setting dstid is only necessary if you are using the IP address in the > > > "peer" option but still want to use a FQDN as ID, which is really only the > > > case with certificate authentication where the ID must match the > > > subjectAltName. > > I can double check yet again, but I'm pretty sure that setting dstid > > was what made iked find the public key. So far, I have not used literal > > IPs in my configuration - that I know for sure. > > that was also my experience when working on faq17, srcid/dstid were used > to lookup the cert/key in /etc/iked...
They are indeed used for the lookup. But IIRC iked should use the value of peer as dstid by default, so setting both to the same value should not be necessary.
