Set AUTH_RULE_IDENTITY_LOOSE for rightid=%<identity>

2 files changed, 22 insertions, 0 deletions

diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 3c9f26409..ea935b6c3 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -662,6 +662,18 @@ Can be an IP address, a fully-qualified domain name, an email address, or
 a keyid. If
 .B leftcert
 is configured the identity has to be confirmed by the certificate.
+
+For IKEv2 and
+.B rightid
+the prefix
+.B %
+in front of the identity prevents the daemon from sending IDr in its IKE_AUTH
+request and will allow it to verify the configured identity against the subject
+and subjectAltNames contained in the responder's certificate (otherwise it is
+only compared with the IDr returned by the responder).  The IDr sent by the
+initiator might otherwise prevent the responder from finding a config if it
+has configured a different value for
+.BR leftid .
 .TP
 .BR leftid2 " = <id>"
 identity to use for a second authentication for the left participant
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index fd1182619..cdeed867d 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -377,6 +377,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 	char *auth, *id, *pubkey, *cert, *ca, *groups;
 	stroke_end_t *end, *other_end;
 	auth_cfg_t *cfg;
+	bool loose = FALSE;
 
 	/* select strings */
 	if (local)
@@ -419,6 +420,11 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 			ca = other_end->ca2;
 		}
 	}
+	if (id && *id == '%' && !streq(id, "%any"))
+	{	/* has only an effect on rightid/2 */
+		loose = !local;
+		id++;
+	}
 
 	if (!auth)
 	{
@@ -470,6 +476,10 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 	if (identity->get_type(identity) != ID_ANY)
 	{
 		cfg->add(cfg, AUTH_RULE_IDENTITY, identity);
+		if (loose)
+		{
+			cfg->add(cfg, AUTH_RULE_IDENTITY_LOOSE, TRUE);
+		}
 	}
 	else
 	{