[Swan-dev] Multiple right ids support

Paul Wouters paul at nohats.ca
Sat Oct 13 23:32:37 UTC 2018

On Wed, 10 Oct 2018, Quynh Nguyen wrote:

> The remote side of our tunnels are has multiple gateways for failover behind a shared NAT IP. The gateway cluster nodes each has different PEER ID.
> Is there a way to skip peer ID validation for remote (right), and/or support to specify multiple rightid (the IPs are the same, and the rightsubnets will also be identical)?

No you cannot skip peer authentication. You can have a setup where the
peer id comes from a certificate and then any valid certificate would
be okay and you can use rightid=%fromcert.

In the setup you describe, those peers should, when not using certs,
use a peer id type IP_IPV4, and set their public IP as their ID.

You can add two connections with different peer ID's but you cannot
choose which end of the two endpoints you will reach, so it will
go wrong half the time when you connect when you hit the wrong one.


More information about the Swan-dev mailing list