Paul, Thanks for your reply. I didn't realize both sides couldn't have the same ID. I managed to work around the problem by being very specific with "right" setting on the east side of the connection (single IP /32).
Matt On Wed, Sep 12, 2018 at 2:24 PM Paul Wouters <[email protected]> wrote: > On Wed, 12 Sep 2018, Matthew Johnson wrote: > > > I have two connection on east. > > > > conn test#0.0.0.0/0 > > type=transport > > authby=null > > leftid=@mesh > > rightid=@mesh > > Both sides cannot have the same ID. > > > left=%defaultroute > > right=0.0.0.0 > > 0.0.0.0 is %any, I would write it as %any > > > When the connection is initiated by west, it matches test#0.0.0.0/0 on > east, which is not what I > > would expect. I would have thought the mismatched left/right IDs would > have caused the system to > > find a better match - conman-pool-server. Am I missing something here? > > Are you sure? The initial IKE_INIT exchange of packets can match on any > connection where %any is in use. It will be refined on the second packet > exchange(IKE_AUTH) and it can then "switch" connection. > > But regardless, the test connection is wrongly using the same ID for > both ends of the connection. > > Paul >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
