I’ve this (generally working) config for libreswan
conn work ikev2=insist left=%defaultroute leftsubnet=0.0.0.0/0 email@example.com leftmodecfgclient=yes right=126.96.36.199 firstname.lastname@example.org rightsubnet=192.168.0.0/24 auto=ondemand authby=secret mobike=yes narrowing=yes dpddelay=30 dpdtimeout=90 dpdaction=restart
using the config value
auto=add and the command
ipsec auto --up work is confirmed to be working. Now I was trying the
auto=ondemand setting, that should bring up the tunnel on the first package to the remote subnet. Issueing a ping to 192.168.0.132 causes libreswan to do something, but it does not complete, this is the syslog output:
audit: MAC_IPSEC_EVENT op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0.0.0.0 src_prefixlen=0 dst=192.168.0.0 dst_prefixlen=24 pluto: initiate on demand from 192.168.86.154:40488 to 192.168.0.132:1025 proto=17 because: acquire pluto: cannot initiate connection for packet 192.168.86.154:40488 -> 192.168.0.132:1025 proto=17 - template conn
Since there is this suspect audit happening, I disabled SELinux enforcing but it didn’t change anything. There are no alerts in the SELinux Troubleshooter. Where do I find more information on what is going on?