Hi Marko, > Shouldn't the same apply when you use wildcards then ? Because in this > case also is not determined on what the exact peer identity is, but > still the INIT_CONTACT is being sent...?
The code currently just checks if there is an IDr before checking for existing connections. With rightid=%any there is none, with wildcards there is. However, such an identity will never match an existing SA as that identity will not equal an actual remote identity, resulting in sending an INITIAL_CONTACT even if there might already be an IKE_SA with a specific peer. So yes, I guess checking for connections and sending an INITIAL_CONTACT doesn't make much sense if rightid contains any wildcards [1]. Regards, Tobias [1] https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/initial-contact-wildcards _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
