Hi, > Is it only possible to have one global (even if defined inside a > connection) single ike/esp definition using strict flag in ipsec.conf?
It's actually not a global definition, but the configuration selection fails with your setup. When selecting a configuration as a responder, only the IP addresses are used. As all your configurations match for the specified IPs, the first one is chosen, where proposal selection does not find a match. We could include the received proposal set into the selection algorithm, but it requires some work. The only workaround I see is to define right (or left) addresses to select the correct configuration, but this of course does not work if europa/uranus have dynamic addresses. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
