[Swan] net-to-net for road warriors
Paul Wouters
paul at nohats.ca
Wed Jan 23 18:32:16 UTC 2019
On Wed, 23 Jan 2019, Nick Howitt wrote:
> # ipsec auto --up wyckofftun
>>> 029 "wyckofftun": cannot initiate connection without knowing peer IP
>>
>> You cannot use right=%any and left=%defaultroute, as then libreswan
>> cannot determine whether it is supposed to be "right" or "left".
>>
> I've used it for years and mention it each time you make this statement.
I agree in some cases it works to load and you can possible respond to
a connection. In general, it is easier to tell people not to do that.
For example, if not using leftid= and behind a portforward, using
left=%defaultroute will end up using a leftid=INTERNAL_IP which is bad.
but yes, if you are careful, it can be used on the server side, but it
can never be used on the client side.
>> Initiating a connection to "any" does not provide information where your
>> remote endpoint actually is......
> Missed that. On the server side "auto" should be set to "add"
yes, and running ipsec auto --up won't work.
Paul
More information about the Swan
mailing list