[Openswan Users] How to force "best-match" for connections?
Andreas Steffen
andreas.steffen at strongsec.net
Wed Nov 3 18:32:41 CET 2004
leftprotoport=17/0
is not a wildcard but this is what the Windows XP SP2 client
actually proposes during IKE Quick Mode.
leftprotoport=17/1701
does not match Microsoft's proposal.
leftprotoport=17/%any
would be a wildcard parameter but as far as I remember,
I have not included the degree of port matching in the
computation of the best-fit cost function.
Regards
Andreas
Tarountaev Evgueni wrote:
> I have two connections into my ipsec.conf file
>
> conn roadwarrior-l2tp-updatedwin
> pfs=no
> leftprotoport=17/1701
> rightprotoport=17/1701
> also=roadwarrior
>
> conn roadwarrior-l2tp
> pfs=no
> leftprotoport=17/0
> rightprotoport=17/1701
> also=roadwarrior
>
> But when I initiate connection form Windows XP SP2 client, I see that the
> "roadwarrior-l2tp" connection choosing. Order into ipsec.conf file does not
> matter.
>
> So how to force "best-match" for connections?
=======================================================================
Andreas Steffen e-mail: andreas.steffen at strongsec.com
strongSec GmbH home: http://www.strongsec.com
Alter Zürichweg 20 phone: +41 1 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
==========================================[strong internet security]===
More information about the Users
mailing list