Set AUTH_RULE_IDENTITY_LOOSE for rightid=%<identity>

author: Tobias Brunner <tobias@strongswan.org> 2012-09-18 11:45:12 +0200
committer: Tobias Brunner <tobias@strongswan.org> 2012-09-18 14:40:41 +0200
commit: b7a500e985811549c42e817ce48d3b6fc2fb45bf (patch)
tree: 89bd82ec5b2fc46590408aa93c9aa68c87cbefa0 /man/ipsec.conf.5.in
parent: e6fcc172f889681ddcefff50a186135b3cfb8b6b (diff)
download: strongswan-b7a500e985811549c42e817ce48d3b6fc2fb45bf.tar.bz2
strongswan-b7a500e985811549c42e817ce48d3b6fc2fb45bf.tar.xz
1 files changed, 12 insertions, 0 deletions
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 3c9f26409..ea935b6c3 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -662,6 +662,18 @@ Can be an IP address, a fully-qualified domain name, an email address, or
 a keyid. If
 .B leftcert
 is configured the identity has to be confirmed by the certificate.
+
+For IKEv2 and
+.B rightid
+the prefix
+.B %
+in front of the identity prevents the daemon from sending IDr in its IKE_AUTH
+request and will allow it to verify the configured identity against the subject
+and subjectAltNames contained in the responder's certificate (otherwise it is
+only compared with the IDr returned by the responder).  The IDr sent by the
+initiator might otherwise prevent the responder from finding a config if it
+has configured a different value for
+.BR leftid .
 .TP
 .BR leftid2 " = <id>"
 identity to use for a second authentication for the left participant
author	Tobias Brunner <tobias@strongswan.org>	2012-09-18 11:45:12 +0200
committer	Tobias Brunner <tobias@strongswan.org>	2012-09-18 14:40:41 +0200
commit	b7a500e985811549c42e817ce48d3b6fc2fb45bf (patch)
tree	89bd82ec5b2fc46590408aa93c9aa68c87cbefa0 /man/ipsec.conf.5.in
parent	e6fcc172f889681ddcefff50a186135b3cfb8b6b (diff)
download	strongswan-b7a500e985811549c42e817ce48d3b6fc2fb45bf.tar.bz2 strongswan-b7a500e985811549c42e817ce48d3b6fc2fb45bf.tar.xz