On 2015/09/30 18:09, Reyk Floeter wrote: > On Wed, Sep 30, 2015 at 04:30:15PM +0100, Stuart Henderson wrote: > > On 2015/09/30 17:17, Reyk Floeter wrote: > > > The attached diff always responds with a CERT or public key. If the > > > peer didn't send a CERTREQ, iked now picks a cert based on its own > > > trusted CAs (which usually includes the CA that signed your local > > > cert). > > > > This diff looks sane, OK with me, though I don't have a way to test it. > > > > Testing it with non-iOS implementations would also help :)
I have tried, but unfortunately for I think all the places I'm currently running IPsec, I either need to support IKEv1 or IKEv1+L2TP clients, or it's a multi-homed machine and I need it to bind for sending messages otherwise SA_INITs come from the wrong local address. (setting "local" in the config doesn't change this - I got a bit lost in the maze of FD passing, though I think I've worked out where I can hard-code it now).
