[Swan] net-to-net for road warriors

Paul Wouters paul at nohats.ca
Wed Jan 23 18:20:22 UTC 2019

On Wed, 23 Jan 2019, Alex wrote:

> I forgot to add the ipsec auto output that shows it has a problem with %any:
>> config setup
>>         protostack=netkey
>> conn mysubnet
>>         also=wyckofftun
>>         rightsubnet=
>>         leftsubnet=
>>         auto=start
>> conn wyckofftun
>>         authby=rsasig
>>         auto=start
>>         ikev2=insist
>>         fragmentation=yes
>>         # dynamic side
>>         rightid=@wyckoff-orion
>>         right=%any
>>         # rsakey AwEAAbhmG
>>         rightrsasigkey=0sAwEAAbhmGOeY6...
>>         # server side
>>         leftid=@orion-wyckoff
>>         left=%defaultroute
>>         # rsakey AwEAAbrFz
>>         leftrsasigkey=0sAwEAAbrFzHlMRChBGKU...

note, i would remove the empty lines to prevent possible confusion with
the config parser thinking a new section is starting.

> # ipsec auto --up wyckofftun
> 029 "wyckofftun": cannot initiate connection without knowing peer IP

You cannot use right=%any and left=%defaultroute, as then libreswan
cannot determine whether it is supposed to be "right" or "left".

Regardless, if you initiate, you must know the remote endpoint's DNS
name or IP address. If one endpoint is behind NAT, only that endpoint
can initiate. Unless it is behind a NAT that does port forwarding, in
wich case your right= should be the hostname or IP address of the NAT

Initiating a connection to "any" does not provide information where your
remote endpoint actually is......


More information about the Swan mailing list