Dear All,
I wonder if anyone can help me with a strongSwan config issue ? I'm trying to configure a SeGW running strongSwan (v4.5.1) to accept incoming tunnel attempts and assign them to different virtual address pools. I thought the easiest way to do this was to create different config entries with different address pools specified by the rightsourceip param. Unfortunately, I can't get the wildcarding to work as I would like, meaning that I have to have ONE config entry for each client when I would actually like to reduce these down to the bare minimum using wildcarding. So, as an example, I have three clients coming in using IDi's of 310751...@foo.abc751.def310.bar.org, 235003...@foo.abc003.def235.bar.org and 235010...@foo.abc010.def235.bar.org I would like the first of these to have it's own ipsec.conf entry: conn foo-abc751-def310 ... rightid=*@foo.abc751.def310.bar.org rightsourceip=10.17.0.0/24 ... and I was hoping to cover the other two with a combined ipsec.conf entry: conn foo-def235 ... rightid=*@foo.abc*.def235.bar.org rightsourceip=10.17.1.0/24 ... However, this does not work. When either of these two try to come in, charon logs that no peer config was found and rejects the tunnel. Instead, I have to split them up: conn foo-abc003-def235 ... rightid=*@foo.abc003.def235.bar.org rightsourceip=10.17.1.0/24 ... conn foo-abc010-def235 ... rightid=*@foo.abc010.def235.bar.org rightsourceip=10.17.2.0/24 ... I could probably get away with specifying the same address pool in both of these cases (i.e. 10.17.1.0/24), but I would REALLY like to combine the two entries. This also applies to ipsec.secrets, where I want to specify a combined secret entry: *@foo.abc*.def235.bar.org : THE secret rather than split the entries up: *@foo.abc003.def235.bar.org : THE secret *@foo.abc010.def235.bar.org : THE secret Using *@foo.abc???.def235.bar.org would also be perfectly acceptable, but I've seen no mention of this in the documentation or code. Does this make sense ? Sound reasonable ? Or I trying to do things in completely the wrong way (and someone can suggest a much better way) ? Graham.
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users