[prev in list] [next in list] [prev in thread] [next in thread] 

List:       libreswan
Subject:    Re: [Swan] IDs don't match on selected profile, so why is it being selected?
From:       Paul Wouters <paul () nohats ! ca>
Date:       2018-09-12 20:23:57
Message-ID: alpine.LRH.2.21.1809121620450.25673 () bofh ! nohats ! ca
[Download RAW message or body]

On Wed, 12 Sep 2018, Matthew Johnson wrote:

> I have two connection on east.
> 
> conn test#0.0.0.0/0
>         type=transport
>         authby=null
>         leftid=@mesh
>         rightid=@mesh

Both sides cannot have the same ID.

>         left=%defaultroute
>         right=0.0.0.0

0.0.0.0 is %any, I would write it as %any

> When the connection is initiated by west, it matches test#0.0.0.0/0 on east, which is not what I
> would expect. I would have thought the mismatched left/right IDs would have caused the system to
> find a better match - conman-pool-server. Am I missing something here?

Are you sure? The initial IKE_INIT exchange of packets can match on any
connection where %any is in use. It will be refined on the second packet
exchange(IKE_AUTH) and it can then "switch" connection.

But regardless, the test connection is wrongly using the same ID for
both ends of the connection.

Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

[prev in list] [next in list] [prev in thread] [next in thread]