[Swan] Need Help in %any

[Paul Wouters]

On Fri, 25 Jan 2019, Raees Khan wrote:

> %any  --> I am facing issue with it. This is what it says.
> 
> The value %any for the local endpoint signifies an address to be filled in (by automatic keying) during negotiation. If the local peer initiates the connection setup the routing table will be queried to
> determine the correct local IP address. In case the local peer is responding to a connection setup then any IP address that is assigned to a local interface will be accepted.

We do not support initiating a connection with %any. You might be
reading the strongswan, not libreswan manual page.

> Prior to 5.0.0 specifying %any for the local endpoint was not supported for IKEv1 connections, instead the keyword %defaultroute could be used, causing the value to be filled in automatically with the local
> address of the default-route interface (as determined at IPsec startup time and during configuration update). Either left or right may be %defaultroute, but not both.

That is surely from strongswan, not libreswan.

> conn r1-r5
>         left=10.10.15.1
>         right=%any
[...]

this connection can only respond, not initiate.

> conn r1-r5
>         left=10.10.15.5
>         right=%any
[...]

same here.

If you want just one tunnel between these two, can not use their IP
addresses in left= and right= ? If dynamic, can you us ea DNS name
that is updated when their IP address changes?

If you are preparing this as the first example of rolling out an entire
mesh of nodes to encrypt to each other, please see

https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec

Paul