On Wed, 23 Jan 2019, Alex wrote:
I forgot to add the ipsec auto output that shows it has a problem with %any:config setup protostack=netkey conn mysubnet also=wyckofftun rightsubnet=192.168.11.0/24 leftsubnet=192.168.1.0/24 auto=start conn wyckofftun authby=rsasig auto=start ikev2=insist fragmentation=yes # dynamic side rightid=@wyckoff-orion right=%any # rsakey AwEAAbhmG rightrsasigkey=0sAwEAAbhmGOeY6... # server side leftid=@orion-wyckoff left=%defaultroute # rsakey AwEAAbrFz leftrsasigkey=0sAwEAAbrFzHlMRChBGKU...
note, i would remove the empty lines to prevent possible confusion with the config parser thinking a new section is starting.
# ipsec auto --up wyckofftun 029 "wyckofftun": cannot initiate connection without knowing peer IP
You cannot use right=%any and left=%defaultroute, as then libreswan cannot determine whether it is supposed to be "right" or "left". Regardless, if you initiate, you must know the remote endpoint's DNS name or IP address. If one endpoint is behind NAT, only that endpoint can initiate. Unless it is behind a NAT that does port forwarding, in wich case your right= should be the hostname or IP address of the NAT device. Initiating a connection to "any" does not provide information where your remote endpoint actually is...... Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
