<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 04/07/2018 16:03, Paul Wouters
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:alpine.LRH.2.21.1807041100180.9127@bofh.nohats.ca">
<br>
On Wed, 4 Jul 2018, Nick Howitt wrote:
<br>
<br>
<blockquote type="cite">In the conn you can use left=%defaultroute
which automatically picks up your left IP. There does not seem
to be an equivalent in the secrets file or am I missing
something? I can use an FQDN or I can set %any to get round it
but %any has other side effects like limiting you to one secret
across all conns.
<br>
</blockquote>
<br>
Note that in IKEv1 Main Mode, you still have the issue of only
being
<br>
able to use PSKs if they are all the same (eg %any)
<br>
<br>
</blockquote>
Yes, but I only have to use %any because there is nothing like
%myip.<br>
<blockquote type="cite"
cite="mid:alpine.LRH.2.21.1807041100180.9127@bofh.nohats.ca">
<blockquote type="cite">I found an old thread between us 9 years
ago asking the same question and I am wondering if there has
been any progress? In that thread it pushed me to %any which I'd
rather not do. To me if would be nice if you could also use
%defaultroute or something like %myip to automatically pick up
the WAN IP. I can also work round it using IKEv2 and a leftid.
<br>
</blockquote>
<br>
So you say that this does not work as expected:
<br>
<br>
0.0.0.0 1.2.3.4 : PSK "passwd 1"
<br>
0.0.0.0 6.7.8.9 : PSK "passwd 2"
<br>
</blockquote>
Isn't 0.0.0.0 the same as %any. From testing ages ago this never
worked as the first (or it may have been the last) %any would always
match anything including 6.7.8.9 (or 1.2.3.4 if it was the last one
which matched - my memory has gone). Has anything changed over the
years?<br>
<blockquote type="cite"
cite="mid:alpine.LRH.2.21.1807041100180.9127@bofh.nohats.ca">
<br>
Ideally of course, you both configure ID_FQDN, so you can use:
<br>
<br>
@myid @remote1 : PSK "passwd 1"
<br>
@myid @remote2 : PSK "passwd 2"
<br>
</blockquote>
Fine with IKEv2 (so presumably aggressive mode). I am more
interested in IKEv1 Main mode<br>
<blockquote type="cite"
cite="mid:alpine.LRH.2.21.1807041100180.9127@bofh.nohats.ca">
<br>
If you are on a Cisco that only has ID_IP type, please upgrade its
<br>
firmware. They do support it.
<br>
</blockquote>
Can't afford Cisco ......<br>
<blockquote type="cite"
cite="mid:alpine.LRH.2.21.1807041100180.9127@bofh.nohats.ca">
<br>
Paul
<br>
</blockquote>
<br>
</body>
</html>