[Swan] net-to-net for road warriors

Paul Wouters paul at nohats.ca
Thu Jan 24 02:10:33 UTC 2019

On Wed, 23 Jan 2019, Alex wrote:

>>> # ipsec auto --up wyckofftun
>>> 029 "wyckofftun": cannot initiate connection without knowing peer IP
>> You cannot use right=%any and left=%defaultroute, as then libreswan
>> cannot determine whether it is supposed to be "right" or "left".
> Then when should it be used?

the host with configuration right=%any and left=%defaultroute you
created, you intend that it contacts some specific server on your LAN.
That server has a static IP I hope, or at least a DNS name.

Anyway, to clarify a bit. I assume you have a VPN server and a bunch of
VPN clients connecting to it. If that is wrong, then you need to explain
again what it is you are trying to do. If you have a VPN server, it
should be reachable via a DNS name or IP address. So then on the VPN
server you can use right=%any and left=%defaultroute but on the VPN
clients you would use right=VPNserverNameorIP and left=%defaultroute

> The endpoint is not behind NAT. It is laptops and desktops and phones
> connected to the remote VPN gateway on a private network with a
> dynamic IP. The gateway then uses NAT to allow them to communicate
> with the Internet, of course.

I'm still not fully clear what you are doing. Are the laptops and
desktops and phones on a LAN with NAT and there is a remote VPN gateway
somewhere else on the internet? If you then your right= should for sure
point to that remote VPN server DNS name or IP address on your clients'

> So you're saying go back to using RSA keys instead of certs, correct?

No I did not.

> I'm again having the same problem I had some months ago when trying to
> create a host-to-host VPN using RSA keys. I've deleted *.db and
> recreated it and it still doesn't work. This is what I've done.

I would stick with the certificates and not go back to raw RSA keys.


More information about the Swan mailing list