diff options
author | Tobias Brunner <tobias@strongswan.org> | 2012-09-18 11:45:12 +0200 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2012-09-18 14:40:41 +0200 |
commit | b7a500e985811549c42e817ce48d3b6fc2fb45bf (patch) | |
tree | 89bd82ec5b2fc46590408aa93c9aa68c87cbefa0 /man/ipsec.conf.5.in | |
parent | e6fcc172f889681ddcefff50a186135b3cfb8b6b (diff) | |
download | strongswan-b7a500e985811549c42e817ce48d3b6fc2fb45bf.tar.bz2 strongswan-b7a500e985811549c42e817ce48d3b6fc2fb45bf.tar.xz |
Set AUTH_RULE_IDENTITY_LOOSE for rightid=%<identity>
Diffstat (limited to 'man/ipsec.conf.5.in')
-rw-r--r-- | man/ipsec.conf.5.in | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 3c9f26409..ea935b6c3 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -662,6 +662,18 @@ Can be an IP address, a fully-qualified domain name, an email address, or a keyid. If .B leftcert is configured the identity has to be confirmed by the certificate. + +For IKEv2 and +.B rightid +the prefix +.B % +in front of the identity prevents the daemon from sending IDr in its IKE_AUTH +request and will allow it to verify the configured identity against the subject +and subjectAltNames contained in the responder's certificate (otherwise it is +only compared with the IDr returned by the responder). The IDr sent by the +initiator might otherwise prevent the responder from finding a config if it +has configured a different value for +.BR leftid . .TP .BR leftid2 " = <id>" identity to use for a second authentication for the left participant |