Hi Tobias, Couldn't the peer identity be stored locally in the client after receiving the certificate from the peer in IKE_AUTH response, even if the parameter rightid=%any ?
Sorry for asking possibly annoying questions, but I would like to understand more on whether it's possible to use INIT_CONTACT anyway... Is there any reason to prevent that kind of implementation? Thanks again. Regards, Marko. On Mon, Nov 14, 2016 at 3:43 PM Tobias Brunner <[email protected]> wrote: > Hi Marko, > > > Shouldn't the same apply when you use wildcards then ? Because in this > > case also is not determined on what the exact peer identity is, but > > still the INIT_CONTACT is being sent...? > > The code currently just checks if there is an IDr before checking for > existing connections. With rightid=%any there is none, with wildcards > there is. However, such an identity will never match an existing SA as > that identity will not equal an actual remote identity, resulting in > sending an INITIAL_CONTACT even if there might already be an IKE_SA with > a specific peer. So yes, I guess checking for connections and sending > an INITIAL_CONTACT doesn't make much sense if rightid contains any > wildcards [1]. > > Regards, > Tobias > > [1] > > https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/initial-contact-wildcards >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
