Tobias, This is bad news. I am trying to setup my strongSwan gateway to have multiple connections. Some connections will be for site-to-site configs and others will be for my mobile roadwarrior clients. Also, each config will have different ike and esp parameters because for my site-to-site config I use ecc/suite b crypto while the mobile clients cannot support that so the parameters for those connections need to be different.
Are there any tips or tricks I could use? ------------------------------ On Sun, Sep 23, 2012 2:11 AM EDT Tobias Brunner wrote: >Hi Mark, > >> Sometimes when a connection comes up and it is the >> second connection in the ipsec.conf file, strongSwan tries to use >> parameters from the first connection listed. For example if i define >> the ike and esp algorithms in the second connection listed, it would >> always use the ike and esp parameters listed in my first connection. > >The problem is that when a client connects the gateway has basically >just the IP addresses available to find a matching config. So if you >have more than one connection with right=%any, the ike parameters of the >first one will be used. Later, the connection could be switched to an >other config based on the IKE identities (left|rightid) so esp >parameters could vary between such connections. > >> Also i think when it tries to match a config to a certificate id, if each >> connection has similar parameters, it will use the first connection >> it finds going from top-to-bottom. Is this normal behavior? > >Yes, the daemon checks each config from top-to-bottom and applies a >score as to how good a match the config is based on the IP addresses and >identities. If no better match is found the first config will be used. > >Regards, >Tobias _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
