[Swan] Wildcarding rightid

Paul Wouters paul at nohats.ca
Fri Apr 5 08:40:02 UTC 2019

On Tue, 2 Apr 2019, Messa, Michael - 0664 - MITLL wrote:

> I am attempting to configure a client to connect with a server in tunnel mode where the client does not know the ID of the
> server prior to initiating the key exchange, and the authentication uses a pre-shared key (PSK).

That is a very strange scenario.

> The server is required to
> identify itself for authentication using a fixed, verbatim identification string.

If that is a fixed string, why can't that the the peer ID known to the

> The client’s sole existence is to connect to only this one server.

The term "only this one server" is based on the PSK without ID? That is
a strange concept of authentication of identity.

> Using StrongSwan I’ve been able to configure a client with a “rightid=%any”, which effectively allows me to wildcard the IDr in
> the IKE. Does LibreSwan offer such a flexibility? If so, what is the appropriate configuration. I’ve tried “rightid=%any”
> despite no documentation saying it was supported. The result was that rightid defaulted to right (as described in the
> documentation) and the IKE fails with an error like:

We currently do not support this. It would be possible to add, but I
would really need to understand the use case first because I still
cannot imagine a scenarion where the constrains you mention are a
valid set of constrains for deployment.


More information about the Swan mailing list