On 04/07/2018 16:03, Paul Wouters wrote:

On Wed, 4 Jul 2018, Nick Howitt wrote:

In the conn you can use left=%defaultroute which automatically picks up your left IP. There does not seem to be an equivalent in the secrets file or am I missing something? I can use an FQDN or I can set %any to get round it but %any has other side effects like limiting you to one secret across all conns.

Note that in IKEv1 Main Mode, you still have the issue of only being
able to use PSKs if they are all the same (eg %any)

Yes, but I only have to use %any because there is nothing like %myip.
I found an old thread between us 9 years ago asking the same question and I am wondering if there has been any progress? In that thread it pushed me to %any which I'd rather not do. To me if would be nice if you could also use %defaultroute or something like %myip to automatically pick up the WAN IP. I can also work round it using IKEv2 and a leftid.

So you say that this does not work as expected:

0.0.0.0 1.2.3.4 : PSK "passwd 1"
0.0.0.0 6.7.8.9 : PSK "passwd 2"
Isn't 0.0.0.0 the same as %any. From testing ages ago this never worked as the first (or it may have been the last) %any would always match anything including 6.7.8.9 (or 1.2.3.4 if it was the last one which matched - my memory has gone). Has anything changed over the years?

Ideally of course, you both configure ID_FQDN, so you can use:

@myid @remote1 : PSK "passwd 1"
@myid @remote2 : PSK "passwd 2"
Fine with IKEv2 (so presumably aggressive mode). I am more interested in IKEv1 Main mode

If you are on a Cisco that only has ID_IP type, please upgrade its
firmware. They do support it.
Can't afford Cisco ......

Paul

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to