3

Having a typical host to host transport mode ipsec configuration,

conn appserver01-to-swift01
    [email protected]
    left=10.133.176.246
    leftrsasigkey=xxxxxxxxxxxxxxxxxxxxxxxx
    [email protected]
    right=10.133.176.111
    authby=rsasig
    rightrsasigkey=xxxxxxxxxxxxxxxxxxxxxxx
    # load and initiate automatically
    auto=start

Is there a way to make this a many to one/many to many connection? i have multiple hosts on the same lan and i was using this to get encrypted traffic between the two hosts, if i add more hosts, will i need to add more host to host or is it possible to do:

conn mytunnel
     left=192.168.56.120
     leftcert=leftcert.pem
     right=%any
     rightrsasigkey=%cert
     rightca="C=KE, O=Mycompany, OU=mydepartment, CN=*"
     auto=add

using certificate authentication? i tried something like this but right says

We cannot identify ourselves with either end of this connection.

and left says:

 cannot initiate connection without knowing peer IP address

from some documentation i saw (see right=%any), i thought it was possible, but after trying and failing, im thinking its not posssible, redhat, so is it possible to have the single configuration accept any client that presents a valid x.509 certificate regardless of its ip address? all addresses are private and all machines are pretty much equivalent.

a similar question has been asked before on some mailing list, but i could not find any public reply to it (lists .openswan. org /pipermail/users/2015-March/023294.html)

0

You must log in to answer this question.

Browse other questions tagged .