[Openswan Users] Fwd: Problem with right=%any

Samir Hussain shussain at xelerance.com
Mon Feb 26 20:01:48 EST 2018 

Rescued from the spam bucket.  Please remember to subscribe to the
mailing list before posting to it


-------- Forwarded Message --------
Subject: 	Problem with right=%any
Date: 	Tue, 27 Feb 2018 01:00:45 +0000
From: 	Thomas, Gregory N. <gregory.n.thomas at accenture.com>
To: 	users at lists.openswan.org <users at lists.openswan.org>



Hello

 

We are trying to setup a dynamic right side configuration, as we want
this local host to use IpSec (transport) for many other hosts in a
host-to-many configuration.

We can get a host-to-host working, but when we try to make it dynamic
for the right side, using right=%any, it does not seem to find the entry
for the PSK in ipsec.secrets.

It seems to only work when we specify right=<IP>. What are we missing? 
We really need a dynamic right side configuration.

 

/etc/ipsec/secrets

 

[root at or1dtstipso001 etc]# cat ipsec.secrets

10.249.100.97 %any : PSK "L1nuxGotTa!ent"

10.249.100.97 10.249.100.96 : PSK "L1nuxGotTa!ent"

10.249.100.97 10.249.101.105 : PSK "L1nuxGotTa!ent"

 

/etc/ipsec.conf

 

[root at or1dtstipso001 etc]# cat ipsec.conf

# Uncomment when using this configuration file with openswan

version 2

config setup

     interfaces=%defaultroute

     #nat_traversal=yes

     #virtual_private=%v4:10.0.0.0/8

     #oe=off

     protostack=netkey

     #protostack=auto

     #plutodebug=all

     #plutostderrlog=/var/log/openswan.log

 

#include /etc/ipsec.d/*.conf

 

conn test

type=transport

authby=secret

auto=start

left=%defaultroute

#left=10.249.100.97

leftid=10.249.100.97

#right=10.249.100.96

right=%any

pfs=no

#ike=3des-md5;dh24

#ike=3des-sha1;modp1024

#phase2=esp

#phase2alg=3des-md5

#phase2alg=3des-sha1;modp1024

aggrmode=no

keyingtries=0

keylife=900s

ikelifetime=900s

disablearrivalcheck=no

rekeymargin=4m

compress=no

 

 

 

 

 


------------------------------------------------------------------------

This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise confidential information. If you
have received it in error, please notify the sender immediately and
delete the original. Any other use of the e-mail by you is prohibited.
Where allowed by local law, electronic communications with Accenture and
its affiliates, including e-mail and instant messaging (including
content), may be scanned by our systems for the purposes of information
security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________

www.accenture.com

More information about the Users mailing list