On Wed, 23 Jan 2019, Alex wrote:
# ipsec auto --up wyckofftun
029 "wyckofftun": cannot initiate connection without knowing peer IP
You cannot use right=%any and left=%defaultroute, as then libreswan
cannot determine whether it is supposed to be "right" or "left".
Then when should it be used?
the host with configuration right=%any and left=%defaultroute you
created, you intend that it contacts some specific server on your LAN.
That server has a static IP I hope, or at least a DNS name.
Anyway, to clarify a bit. I assume you have a VPN server and a bunch of
VPN clients connecting to it. If that is wrong, then you need to explain
again what it is you are trying to do. If you have a VPN server, it
should be reachable via a DNS name or IP address. So then on the VPN
server you can use right=%any and left=%defaultroute but on the VPN
clients you would use right=VPNserverNameorIP and left=%defaultroute
The endpoint is not behind NAT. It is laptops and desktops and phones
connected to the remote VPN gateway on a private network with a
dynamic IP. The gateway then uses NAT to allow them to communicate
with the Internet, of course.
I'm still not fully clear what you are doing. Are the laptops and
desktops and phones on a LAN with NAT and there is a remote VPN gateway
somewhere else on the internet? If you then your right= should for sure
point to that remote VPN server DNS name or IP address on your clients'
config.
So you're saying go back to using RSA keys instead of certs, correct?
No I did not.
I'm again having the same problem I had some months ago when trying to
create a host-to-host VPN using RSA keys. I've deleted *.db and
recreated it and it still doesn't work. This is what I've done.
I would stick with the certificates and not go back to raw RSA keys.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
