vici: Match identity with wildcards against remote ID in redirect command

src/libcharon/plugins/vici/README.md

@@ -298,7 +298,8 @@ supported by the peer.
 		ike = <redirect an IKE_SA by configuration name>
 		ike-id = <redirect an IKE_SA by its unique id>
 		peer-ip = <redirect an IKE_SA with matching peer IP>
-		peer-id = <redirect an IKE_SA with matching peer identity>
+		peer-id = <redirect an IKE_SA with matching peer identity, may contain
+				   wildcards>
 	} => {
 		success = <yes or no>
 		errmsg = <error string on failure>

src/libcharon/plugins/vici/vici_control.c

@@ -366,7 +366,7 @@ CALLBACK(redirect, vici_message_t*,
 	enumerator_t *sas;
 	char *ike, *peer_ip, *peer_id, *gw, *errmsg = NULL;
 	u_int ike_id, current, found = 0;
-	identification_t *gateway, *identity = NULL;
+	identification_t *gateway, *identity = NULL, *other_id;
 	host_t *address = NULL;
 	ike_sa_t *ike_sa;
 	vici_builder_t *builder;
@@ -445,10 +445,13 @@ CALLBACK(redirect, vici_message_t*,
 		{
 			continue;
 		}
-		if (identity &&
-			!identity->equals(identity, ike_sa->get_other_eap_id(ike_sa)))
+		if (identity)
 		{
-			continue;
+			other_id = ike_sa->get_other_eap_id(ike_sa);
+			if (!other_id->matches(other_id, identity))
+			{
+				continue;
+			}
 		}
 		lib->processor->queue_job(lib->processor,
 				(job_t*)redirect_job_create(ike_sa->get_id(ike_sa), gateway));

src/swanctl/commands/redirect.c

@@ -117,7 +117,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		redirect, 'd', "redirect", "redirect an IKE_SA",
 		{"--ike <name> | --ike-id <id> | --peer-ip <ip>",
-		 "--peer-id <id> | --gateway <ip|fqdn> [--raw|--pretty]"},
+		 "--peer-id <id|wildcards> | --gateway <ip|fqdn> [--raw|--pretty]"},
 		{
 			{"help",		'h', 0, "show usage information"},
 			{"ike",			'i', 1, "redirect by IKE_SA name"},