[Swan] Failover struggles
John Crisp
jcrisp at safeandsoundit.co.uk
Thu Nov 30 16:01:11 UTC 2017
Hi Paul
On 30/11/17 15:14, Paul Wouters wrote:
> On Fri, 24 Nov 2017, John Crisp wrote:
>
> The issue here is that LibreToDHCP overlaps with LibreToMain because one
> has right=1.2.3.4 and the other has right=%any. But the ID's used
> are the same on both connections. Why can you not _only_ use the
> LibreToDHCP connection, since 1.2.3.4 can also be "any". That way, the
> connection will see a second attempt as replacing the existing
> connection, and you won't get "eroute already in use".
>
Thanks for that.
I was trying to be security conscious and pin the right to the correct
addresses where i could!
Unfortunately I can't see a way to make the Endian box use different
certs for outgoing connections hence the rightcert HAS to be "Endian"
As an extra then, if I run ipsec/xl2tpd on the same server, will there
be any confusion over right being %any ? I presume so.....
e.g If I also have a L2TPD ipsec transport connection like this.
conn L2TPD-PSK
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
type=transport
forceencaps=yes
right=%any
rightprotoport=17/%any
left=%defaultroute
leftprotoport=17/1701
dpddelay=20
dpdtimeout=90
dpdaction=clear
Not sure how else to differentiate connections with %any
B. Rgds
John
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171130/d48c52d9/attachment.sig>
More information about the Swan
mailing list