Hi, I had a question about how peer configs are matched by Strongswan. I have two connection definitions in my ipsec.conf, one for road-warriors and one for site2site. They are roughly defined as shown at the end of thie email. As can be seen the rw only accept ikev1, but any right-id. The site2site accept any ike version, but specific right-id that matches the peer's cert DN. What I see is that the perfect match of ike version is given preference over the perfect match of ID when choosing connection. When a site connects with IKEv1, and the proper cert, the "conn rw" is chosen, even though "conn site2site" has a perfect match of the ID, and also matches the ike version (since that connection definition can accept IKEv1/IKEv2). Shouldn't the site2site connection definition be chosen because it has the perfect match of the ID and accepts the ike version? We are using strongswan version 5.1.2 (+selective patches)
conn *rw* authby=rsasig *keyexchange=ikev1* rightid=%any conn *site2site* authby=rsasig *keyexchange=ike* rightid="DN from the peer's cert" The log lines for the match show candidate "site2site", match: 1/20/1048 (me/other/ike) candidate "rw", match: 1/1/1052 (me/other/ike) .Candidate "rw" has higher ike match (1052) resulting in "rw" being chosen. -sk