[Swan] Wildcarding rightid
Paul Wouters
paul at nohats.ca
Fri Apr 5 08:40:02 UTC 2019
On Tue, 2 Apr 2019, Messa, Michael - 0664 - MITLL wrote:
> I am attempting to configure a client to connect with a server in tunnel mode where the client does not know the ID of the
> server prior to initiating the key exchange, and the authentication uses a pre-shared key (PSK).
That is a very strange scenario.
> The server is required to
> identify itself for authentication using a fixed, verbatim identification string.
If that is a fixed string, why can't that the the peer ID known to the
client?
> The client’s sole existence is to connect to only this one server.
The term "only this one server" is based on the PSK without ID? That is
a strange concept of authentication of identity.
> Using StrongSwan I’ve been able to configure a client with a “rightid=%any”, which effectively allows me to wildcard the IDr in
> the IKE. Does LibreSwan offer such a flexibility? If so, what is the appropriate configuration. I’ve tried “rightid=%any”
> despite no documentation saying it was supported. The result was that rightid defaulted to right (as described in the
> documentation) and the IKE fails with an error like:
We currently do not support this. It would be possible to add, but I
would really need to understand the use case first because I still
cannot imagine a scenarion where the constrains you mention are a
valid set of constrains for deployment.
Paul
More information about the Swan
mailing list