I’ve this (generally working) config for libreswan
conn work
ikev2=insist
left=%defaultroute
leftsubnet=0.0.0.0/0
leftid=me@my.comp.any
leftmodecfgclient=yes
right=81.81.81.81
rightid=me@my.comp.any
rightsubnet=192.168.0.0/24
auto=ondemand
authby=secret
mobike=yes
narrowing=yes
dpddelay=30
dpdtimeout=90
dpdaction=restart
using the config value auto=add and the command ipsec auto --up work is confirmed to be working. Now I was trying the auto=ondemand setting, that should bring up the tunnel on the first package to the remote subnet. Issueing a ping to 192.168.0.132 causes libreswan to do something, but it does not complete, this is the syslog output:
audit: MAC_IPSEC_EVENT op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0.0.0.0 src_prefixlen=0 dst=192.168.0.0 dst_prefixlen=24
pluto[140534]: initiate on demand from 192.168.86.154:40488 to 192.168.0.132:1025 proto=17 because: acquire
pluto[140534]: cannot initiate connection for packet 192.168.86.154:40488 -> 192.168.0.132:1025 proto=17 - template conn
Since there is this suspect audit happening, I disabled SELinux enforcing but it didn’t change anything. There are no alerts in the SELinux Troubleshooter. Where do I find more information on what is going on?