From: Tobias Brunner Date: Tue, 18 Sep 2012 09:45:12 +0000 (+0200) Subject: Set AUTH_RULE_IDENTITY_LOOSE for rightid=% X-Git-Tag: 5.0.1~92 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b7a500e985811549c42e817ce48d3b6fc2fb45bf;p=thirdparty%2Fstrongswan.git Set AUTH_RULE_IDENTITY_LOOSE for rightid=% --- diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 3c9f264092..ea935b6c33 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -662,6 +662,18 @@ Can be an IP address, a fully-qualified domain name, an email address, or a keyid. If .B leftcert is configured the identity has to be confirmed by the certificate. + +For IKEv2 and +.B rightid +the prefix +.B % +in front of the identity prevents the daemon from sending IDr in its IKE_AUTH +request and will allow it to verify the configured identity against the subject +and subjectAltNames contained in the responder's certificate (otherwise it is +only compared with the IDr returned by the responder). The IDr sent by the +initiator might otherwise prevent the responder from finding a config if it +has configured a different value for +.BR leftid . .TP .BR leftid2 " = " identity to use for a second authentication for the left participant diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index fd11826198..cdeed867d2 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -377,6 +377,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, char *auth, *id, *pubkey, *cert, *ca, *groups; stroke_end_t *end, *other_end; auth_cfg_t *cfg; + bool loose = FALSE; /* select strings */ if (local) @@ -419,6 +420,11 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, ca = other_end->ca2; } } + if (id && *id == '%' && !streq(id, "%any")) + { /* has only an effect on rightid/2 */ + loose = !local; + id++; + } if (!auth) { @@ -470,6 +476,10 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, if (identity->get_type(identity) != ID_ANY) { cfg->add(cfg, AUTH_RULE_IDENTITY, identity); + if (loose) + { + cfg->add(cfg, AUTH_RULE_IDENTITY_LOOSE, TRUE); + } } else {