On 2007/02/22 19:38, jared r r spiegel wrote: > On Fri, Feb 23, 2007 at 12:09:27AM +0000, Stuart Henderson wrote: > > > obviously having the same names, the first is overwritten by the second. > > > > Would I be totally going down the wrong route if I were to change > > the hardcoded -default and default- section names in ipsecctl/ike.c > > to something based on dstid? > > as long as it doesn't then try to use dstid's value > for, say: > > C set [net.100]:Address=net.100 force
that's along the lines I was thinking. > and then making sure it jived nicely if you actually wanted to do > an IPaddr in some other potentially configured peer I think that's not a problem; if (r->peer) { fprintf(fd, SET "[peer-%s]:Remote-ID=%s-ID force\n", r->peer->name, r->peer->name); fprintf(fd, SET "[%s-ID]:ID-type=%s force\n", r->peer->name, ike_id_types[idtype]); fprintf(fd, SET "[%s-ID]:Name=%s force\n", r->peer->name, r->auth->dstid); } else { fprintf(fd, SET "[peer-default]:Remote-ID=default-ID force\n"); fprintf(fd, SET "[default-ID]:ID-type=%s force\n", ike_id_types[idtype]); fprintf(fd, SET "[default-ID]:Name=%s force\n", r->auth->dstid); } the first half is used if you specify 'peer foo' (it is also used if you specify 'ike esp from xx to foo' where foo is an ip address not a subnet, in which case it is also taken as the peer address: this is a sometimes-useful shortcut, I couldn't decide whether it was intentional or not, but suffice to say 'attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC' does not immediately lead you to this as being the problem :-)