Lets say that I want to use the same ipsec.conf template on both
peers. One of the peers could be behind a NAT (in that case I do not
know in advance to which IP address it will be NATed). Also, sometimes
both peers might be connected directly without any NATs. The same
template should support both deployments.
Now I came up with this ipsec.conf template that looks something like:
config setup
charonstart=yes
plutostart=no
conn %default
keyingtries=%forever
type=tunnel
installpolicy=no
keyexchange=ikev2
conn remote-<peer>
reqid=1
left=%any
leftcert=/client-cert.pem
rightcert=/<peer>.pem
conn remote-<peer>-direct
also=remote-<peer>
auto=start
right=<peer>
conn remote-<peer>-nat-initiator
also=remote-<peer>
auto=start
right=<peer>
leftsourceip=%config
conn remote-<peer>-nat-responder
also=remote-<peer>
auto=start
right=%any
rightsourceip=<peer>
Is it possible to merge all these "conn" entries into a single "conn"
entry so that it would still support NAT and non-NAT deployment?
Otherwise, on the responder, if remote-<peer>-nat-responder was
negotiated, then the remote-<peer>-direct and
remote-<peer>-nat-initiator would still pointlessly be stuck in
"CONNECTING" state...
I tried to experiment with rightallowany=yes, but that made strongswan
stuck in IKE negotiation, because, I guess, it uses NATed IP address
to find proposal, but it couldn't find any.
Best regards,
Ansis
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
