strongSwan

So you can close this issue.

Hi Tobias

it looks that this is the last issue for our usage which we need to solve. I know that strongswan does not support this features but could you give advice how to implement FQDNs identities resolving

Thanks.

Hi Tobias,

no advice from you how to solve it?

Thanks.

no advice from you how to solve it?

Generate the config file? (see #2056)

But why can't you just use FQDNs as identities?

This issue is still related to Openswan's interoperability. If Openswan has not defined ID in config file then uses IP adrress as ID (strongswan does too). If left side is set as FQDN then resolves this FQDN before using it as ID (strongswan does not).

Our opinion is that the best solution is solve it within charon daemon (similarly like pluto). Some customer uses dyndns service in their application (responder ipsec side). It means that ip address is time variable due to restarting mobile wan connection etc. So the one-shot resolving during charon startup is not solution.

Thanks.

If left side is set as FQDN then resolves this FQDN before using it as ID (strongswan does not).

I'm sure this can be prevented by prefixing the FQDN with an @.

Our opinion is that the best solution is solve it within charon daemon (similarly like pluto).

How is that better than a simple configuration change?

It means that ip address is time variable due to restarting mobile wan connection etc. So the one-shot resolving during charon startup is not solution.

Which is exactly the reason you should use an identity that does not change, like a FQDN (or an arbitrary fixed IP).