Hi Mark, > Sometimes when a connection comes up and it is the > second connection in the ipsec.conf file, strongSwan tries to use > parameters from the first connection listed. For example if i define > the ike and esp algorithms in the second connection listed, it would > always use the ike and esp parameters listed in my first connection.
The problem is that when a client connects the gateway has basically just the IP addresses available to find a matching config. So if you have more than one connection with right=%any, the ike parameters of the first one will be used. Later, the connection could be switched to an other config based on the IKE identities (left|rightid) so esp parameters could vary between such connections. > Also i think when it tries to match a config to a certificate id, if each > connection has similar parameters, it will use the first connection > it finds going from top-to-bottom. Is this normal behavior? Yes, the daemon checks each config from top-to-bottom and applies a score as to how good a match the config is based on the IP addresses and identities. If no better match is found the first config will be used. Regards, Tobias _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
