[Openswan Users] Dynamic Right side with a host-to-host configuration (transport mode)

[Gregory Thomas]

I am configuring Openswan for a host-to-many (transport mode) configuration.
In the test environment, there are 4 systems (three Linux systems and one
Windows).

Linux will not initiate the tunnel when using right=%any (conn road), it
will initiate the tunnel if I create a conn section with the IP for right.
The following error when using right=%any.

: "road": cannot route template policy of
PSK+ENCRYPT+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS
: | processing connection "road"
: "road": cannot initiate connection without knowing peer IP address
(kind=CK_TEMPLATE)
: | reaped addconn helper child


Any ideas where and what to look at to make the right side dynamic
(completely dynamic with PDK)..searching and searching for a dynamic right
side config or examples.

The config below works fine from the Windows side, initiating the tunnel
from Windows to Linux works, however, trying to initiate the tunnel from
Linux to Windows or Linux to Linux fails on the linux side if I do not use
a conn section with right=<IP>.

Config on Linux using PSK for now:

version 2
config setup
     interfaces=%defaultroute
     protostack=netkey
     plutodebug=all
     plutostderrlog=/var/log/openswan.log

conn %default
 type=transport
 authby=secret
 auto=start
 #auto=add
 pfs=no
 aggrmode=no
 keyexchange=ike
 ike=3des-md5;modp1024,3des-sha1;modp1024,aes-sha1
 phase2=esp
 phase2alg=3des-sha1
 compress=no
 failureshunt=passthrough
 left=%defaultroute
 leftnexthop=%defaultroute

conn road
 auto=add
 right=%any

conn 10.249.100.96
 right=10.249.100.96

conn 10.249.100.97
 right=10.249.100.97


Windows is set using an IpSec policy with only a PSK (for now).

Gregory
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20180418/8eb0b47a/attachment.html>