<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hello,<div class=""><div class=""><br class=""></div><div class="">I was trying to have two different address pools for clients based on info in certificate DN.</div><div class=""><br class=""></div><div class="">I did this by configuring two basically identical connections, just with different rightaddresspool and rightid.</div><div class=""><br class=""></div><div class=""><div class="">conn ikev2-cp-static</div><div class="">  left=%eth0</div><div class="">  leftcert=<a href="http://vpn.example.net" class="">vpn.example.net</a></div><div class=""><div class="">  <a href="mailto:leftid=@vpn.example.net" class="">leftid=@vpn.example.net</a></div></div><div class="">  leftsendcert=always</div><div class="">  leftsubnet=10.0.0.0/8</div><div class="">  leftrsasigkey=%cert</div><div class="">  right=%any</div><div class="">  rightid="CN=static,O=IKEv2 VPN"</div><div class="">  rightaddresspool=192.168.43.10-192.168.43.10</div><div class="">  rightca=%same</div><div class="">  rightrsasigkey=%cert</div><div class="">  narrowing=yes</div><div class="">  dpddelay=30</div><div class="">  dpdtimeout=120</div><div class="">  dpdaction=clear</div><div class="">  auto=add</div><div class="">  ikev2=insist</div><div class="">  rekey=no</div><div class="">  pfs=no</div><div class="">  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1</div><div class="">  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2</div><div class="">  ikelifetime=24h</div><div class="">  salifetime=24h</div><div class="">  encapsulation=yes</div><div class="">  mobike=yes</div><div class=""><br class=""></div><div class="">conn ikev2-cp-others</div><div class="">  left=%eth0</div><div class="">  leftcert=<a href="http://vpn.example.net" class="">vpn.example.net</a></div><div class="">  <a href="mailto:leftid=@vpn.example.net" class="">leftid=@vpn.example.net</a></div><div class="">  leftsendcert=always</div><div class="">  leftsubnet=10.0.0.0/8</div><div class="">  leftrsasigkey=%cert</div><div class="">  right=%any</div><div class="">  rightid="CN=vpnclient,O=IKEv2 VPN"</div><div class="">  rightaddresspool=192.168.43.11-192.168.43.250</div><div class="">  rightca=%same</div><div class="">  rightrsasigkey=%cert</div><div class="">  narrowing=yes</div><div class="">  dpddelay=30</div><div class="">  dpdtimeout=120</div><div class="">  dpdaction=clear</div><div class="">  auto=add</div><div class="">  ikev2=insist</div><div class="">  rekey=no</div><div class="">  pfs=no</div><div class="">  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1</div><div class="">  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2</div><div class="">  ikelifetime=24h</div><div class="">  salifetime=24h</div><div class="">  encapsulation=yes</div><div class="">  mobike=yes</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">This however didn't do what I wanted, because no matter which cert I have used on the client, the "ikev2-cp-static" connection was always matched on the server (and subsequently failed on certificate auth in case I used the cert with CN=vpnclient).</div><div class=""><br class=""></div><div class="">Does it mean, only the left/right fields are used to match the connection first, and afterwards the id is just validated, without falling back to another matching connection?</div></div></div><div class=""><br class=""></div><div class="">Is there some place I can read more about how exactly the matching works and also which connection takes precedence if more are matching? I was not able to find much info about this.</div><div class=""><br class=""></div><div class="">My end goal was to have one client with static assigned ip (hence the small addresspool), while other clients have dynamic ips. I can't use "right" to distinguish them as they can be behind the same NAT. That's why I tried to use the cert fields. Would anyone have some tip on how else I could accomplish my goal?</div><div class=""><br class=""></div><div class="">Thanks for help!</div><div class=""><br class=""></div><div class="">Regards,</div><div class="">Jan</div><div class=""><br class=""></div></body></html>