On Sat, Feb 22, 2020 at 02:33:17PM +0100, Tobias Heider wrote: > Peer can not be "any" in an active policy, somehow the initiator must know > where to send the messages. In this case the default currently is what I've > described before: the IP of peer. But in `passive' policies which is the default unless `active' is specified explicitly; the manual already makes use of `peer any' in the EXAMPLES section.
> In a passive policy the key is only needed when > the peer's ID has been exchanged in the IKE_AUTH message, > so (I think) the default is to use whatever ID was received. That does not match the manual wording, then. > I think this works pretty well in 90% of the cases and I've always been a > fan of a short default configuration, so i don't think requiring to > set dstid is a good idea. > > We should rather fix the defaults to do what we expect them to do. > In your example case that would be using fqdn/D.example.com Agreed; do you take a stab at it? I'm happy to test.
