I am now setting a vpn client for my university's own L2TP/IPSec VPN network, using both openswan, libreswan and strongswan (for different distros).
Here is the problem:
The remote site (VPN server) is a domain name (say xxx.com) with multiple IP addresses (say 123.123.123.100-123.123.123.103).
In this case, how should I set the conn part?
I have tried something like:
conn university
...
left=%defaultroute
right=xxx.com
...
auto=route
Which seems not working, since when *swan start, it parses xxx.com and setup the route by the IP returned by the DNS request (say 123.123.123.100). Then when I make a connection to xxx.com, it may parse the domain again and get a different IP (say 123.123.123.101), and the connection will not go through *swan.
I have also tried the rightsubnet option, but I don't know what should be the right option. If I just use %any, *swan will give some error like No route to destination (something like that, cannot remember) and refuse to add the conn.
Now my workaround is:
conn university0
right=123.123.123.100
also=university
auto=route
conn university1
right=123.123.123.101
also=university
auto=route
conn university2
right=123.123.123.102
also=university
auto=route
conn university3
right=123.123.123.103
also=university
auto=route
conn university4
right=123.123.123.104
also=university
auto=route
conn university
left=%defaultroute
...
...which works, but seems ugly and non-scalable.
In the past, when I use racoon, I can use the setkey command to modify the SPD directly, so I can set policies for the corresponding IPs directly.
I think this case is common and there will be a solution designed for this case in *swan. Anyone can help?
