Add support for right=%any (for auto=route)
We could use the addresses from the kernel's acquire to try to establish a tunnel. We could also add some something like
right=<addr>, <ip-range>, <subnet>.
#6 Updated by Tobias Brunner over 4 years ago
- Status changed from New to Closed
- Assignee set to Tobias Brunner
- Target version set to 5.3.3
- Resolution set to Fixed
I've pushed this to master. With the referenced commit it is now possible to configure
conn trap-any right=%any ... type=transport auto=route
The hosts can be limited by specifying rightsubnet (e.g. rightsubnet=192.168.1.0/24,192.168.2.0/30,10.0.2.2/32). It is even possible to limit this to a specific protocol/port (for any remote host use %dynamic[<proto>/<port>], not 0.0.0.0/0[...]). A new test scenario (ikev2/trap-any, bb1d9e45) provides some examples.
Authentication can easily be done via certificates, but using PSKs is also possible. However, because there is no pattern/subnet matching for IP-based identities you need to either use a single secret for all hosts or use identities appropriately if you want to use different PSKs for different groups of hosts (e.g. use leftid=<host>@<group>.example.com and rightid=*@<group>.example.com in ipsec.conf and
*@<group>.example.com : PSK "..." in ipsec.secrets).