[Swan] Secrets equivalent to %defaultroute

Paul Wouters paul at nohats.ca
Wed Jul 4 15:03:49 UTC 2018


On Wed, 4 Jul 2018, Nick Howitt wrote:

> In the conn you can use left=%defaultroute which automatically picks up your 
> left IP. There does not seem to be an equivalent in the secrets file or am I 
> missing something? I can use an FQDN or I can set %any to get round it but 
> %any has other side effects like limiting you to one secret across all conns.

Note that in IKEv1 Main Mode, you still have the issue of only being
able to use PSKs if they are all the same (eg %any)

> I found an old thread between us 9 years ago asking the same question and I 
> am wondering if there has been any progress? In that thread it pushed me to 
> %any which I'd rather not do. To me if would be nice if you could also use 
> %defaultroute or something like %myip to automatically pick up the WAN IP. I 
> can also work round it using IKEv2 and a leftid.

So you say that this does not work as expected:

0.0.0.0 1.2.3.4 : PSK "passwd 1"
0.0.0.0 6.7.8.9 : PSK "passwd 2"

Ideally of course, you both configure ID_FQDN, so you can use:

@myid @remote1 : PSK "passwd 1"
@myid @remote2 : PSK "passwd 2"

If you are on a Cisco that only has ID_IP type, please upgrade its
firmware. They do support it.

Paul


More information about the Swan mailing list