[Swan] Need Help in %any

Raees Khan raeeskhan.ca at gmail.com
Fri Jan 25 17:02:39 UTC 2019 

*Good Morning Friends,*

Thank you for your support. I have a question regarding left/right section
of IPSec connection.

I have read that the left and right ip of a connection could be

*address* --> It works fine for me.

%*defaultroute* --> It also works fine for me. It automatically uses the
local address of the default-route interface.

%*any*  --> I am facing issue with it. This is what it says.

The value *%any* for the local endpoint signifies an address to be filled
in (by automatic keying) during negotiation. If the local peer initiates
the connection setup the routing table will be queried to determine the
correct local IP address. In case the local peer is responding to a
connection setup then any IP address that is assigned to a local interface
will be accepted.

Prior to 5.0.0 <https://wiki.strongswan.org/projects/strongswan/wiki/500>
 specifying *%any* for the local endpoint was not supported for IKEv1
connections, instead the keyword *%defaultroute* could be used, causing the
value to be filled in automatically with the local
address of the default-route interface (as determined at IPsec startup time
and during configuration update). Either left or right may be
*%defaultroute*, but not both.

If *%any* is used for the remote endpoint it literally means any IP address.

*Router 1*
*conn r1-r5*
*        connaddrfamily=ipv4*
*        authby=secret*
*        auto=start*
*        phase2=esp*
*        phase2alg=3des-sha1;modp8192*
*        ike=3des-sha1;modp8192*
*        salifetraffic=0*
*        ikev2=never*
*        left=10.10.15.1*
*        leftsubnet=11.1.1.1/32 <http://11.1.1.1/32>*
*        leftupdown="/usr/bin/rmf_ipsec_updown --route yes"*
*        pfs=yes*
*        dpddelay=30*
*        dpdtimeout=120*
*        dpdaction=restart*
*        right=%any*
*        rightsubnet=55.5.5.5/32 <http://55.5.5.5/32>*
*        rightupdown="/usr/bin/rmf_ipsec_updown --route yes"*
*        type=tunnel*


*Router 5*
conn r1-r5
        connaddrfamily=ipv4
        authby=secret
        auto=start
        phase2=esp
        phase2alg=3des-sha1;modp8192
        ike=3des-sha1;modp8192
        salifetraffic=0
        ikev2=never
        left=10.10.15.5
        leftsubnet=55.5.5.5/32
        leftupdown="/usr/bin/rmf_ipsec_updown --route yes"
        pfs=yes
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        right=%any
        rightsubnet=11.1.1.1/32
        rightupdown="/usr/bin/rmf_ipsec_updown --route yes"
        type=tunnel


Even if I use %any on left section of both devices, it doesn't take IP from
the routing table. I am not sure how would it take an IP during negotiation.

Am I missing something ? Please help.

Thank you very much.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190125/8919f083/attachment.html>

More information about the Swan mailing list