[Swan] net-to-net for road warriors
Paul Wouters
paul at nohats.ca
Wed Jan 23 18:20:22 UTC 2019
On Wed, 23 Jan 2019, Alex wrote:
> I forgot to add the ipsec auto output that shows it has a problem with %any:
>
>> config setup
>> protostack=netkey
>>
>> conn mysubnet
>> also=wyckofftun
>> rightsubnet=192.168.11.0/24
>> leftsubnet=192.168.1.0/24
>> auto=start
>>
>> conn wyckofftun
>> authby=rsasig
>> auto=start
>> ikev2=insist
>> fragmentation=yes
>>
>> # dynamic side
>> rightid=@wyckoff-orion
>> right=%any
>> # rsakey AwEAAbhmG
>> rightrsasigkey=0sAwEAAbhmGOeY6...
>>
>> # server side
>> leftid=@orion-wyckoff
>> left=%defaultroute
>> # rsakey AwEAAbrFz
>> leftrsasigkey=0sAwEAAbrFzHlMRChBGKU...
note, i would remove the empty lines to prevent possible confusion with
the config parser thinking a new section is starting.
> # ipsec auto --up wyckofftun
> 029 "wyckofftun": cannot initiate connection without knowing peer IP
You cannot use right=%any and left=%defaultroute, as then libreswan
cannot determine whether it is supposed to be "right" or "left".
Regardless, if you initiate, you must know the remote endpoint's DNS
name or IP address. If one endpoint is behind NAT, only that endpoint
can initiate. Unless it is behind a NAT that does port forwarding, in
wich case your right= should be the hostname or IP address of the NAT
device.
Initiating a connection to "any" does not provide information where your
remote endpoint actually is......
Paul
More information about the Swan
mailing list