On Fri, 25 Jan 2019, Raees Khan wrote:
%any --> I am facing issue with it. This is what it says.
The value %any for the local endpoint signifies an address to be filled in (by
automatic keying) during negotiation. If the local peer initiates the
connection setup the routing table will be queried to
determine the correct local IP address. In case the local peer is responding to
a connection setup then any IP address that is assigned to a local interface
will be accepted.
We do not support initiating a connection with %any. You might be
reading the strongswan, not libreswan manual page.
Prior to 5.0.0 specifying %any for the local endpoint was not supported for
IKEv1 connections, instead the keyword %defaultroute could be used, causing the
value to be filled in automatically with the local
address of the default-route interface (as determined at IPsec startup time and
during configuration update). Either left or right may be %defaultroute, but
not both.
That is surely from strongswan, not libreswan.
conn r1-r5
left=10.10.15.1
right=%any
[...]
this connection can only respond, not initiate.
conn r1-r5
left=10.10.15.5
right=%any
[...]
same here.
If you want just one tunnel between these two, can not use their IP
addresses in left= and right= ? If dynamic, can you us ea DNS name
that is updated when their IP address changes?
If you are preparing this as the first example of rolling out an entire
mesh of nodes to encrypt to each other, please see
https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
