[Swan] IDs don't match on selected profile, so why is it being selected?
Matthew Johnson
matthew.f.j at gmail.com
Wed Oct 3 22:04:56 UTC 2018
Paul,
Thanks for your reply. I didn't realize both sides couldn't have the same
ID. I managed to work around the problem by being very specific with
"right" setting on the east side of the connection (single IP /32).
Matt
On Wed, Sep 12, 2018 at 2:24 PM Paul Wouters <paul at nohats.ca> wrote:
> On Wed, 12 Sep 2018, Matthew Johnson wrote:
>
> > I have two connection on east.
> >
> > conn test#0.0.0.0/0
> > type=transport
> > authby=null
> > leftid=@mesh
> > rightid=@mesh
>
> Both sides cannot have the same ID.
>
> > left=%defaultroute
> > right=0.0.0.0
>
> 0.0.0.0 is %any, I would write it as %any
>
> > When the connection is initiated by west, it matches test#0.0.0.0/0 on
> east, which is not what I
> > would expect. I would have thought the mismatched left/right IDs would
> have caused the system to
> > find a better match - conman-pool-server. Am I missing something here?
>
> Are you sure? The initial IKE_INIT exchange of packets can match on any
> connection where %any is in use. It will be refined on the second packet
> exchange(IKE_AUTH) and it can then "switch" connection.
>
> But regardless, the test connection is wrongly using the same ID for
> both ends of the connection.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20181003/a0a38267/attachment.html>
More information about the Swan
mailing list