use of the right=%<fqdn> wildcard

4 files changed, 8 insertions, 12 deletions

diff --git a/testing/tests/ikev1/dynamic-two-peers/description.txt b/testing/tests/ikev1/dynamic-two-peers/description.txt
index cb63a984d..56a1c0754 100644
--- a/testing/tests/ikev1/dynamic-two-peers/description.txt
+++ b/testing/tests/ikev1/dynamic-two-peers/description.txt
@@ -1,8 +1,9 @@
 The peers <b>carol</b>, <b>dave</b>, and <b>moon</b> all have dynamic IP addresses,
-so that the remote end is defined symbolically by <b>right=&lt;hostname&gt;</b>.
+so that the remote end is defined symbolically by <b>right=%&lt;hostname&gt;</b>.
 The ipsec starter resolves the fully-qualified hostname into the current IP address
 via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are
-expected to change over time, the option <b>rightallowany=yes</b> will allow an IKE
+expected to change over time, the prefix '%' is used as an implicit alternative to the
+explicit <b>rightallowany=yes</b> option which will allow an IKE
 main mode rekeying to arrive from an arbitrary IP address under the condition that
 the peer identity remains unchanged. When this happens the old tunnel is replaced
 by an IPsec connection to the new origin.
@@ -10,6 +11,5 @@ by an IPsec connection to the new origin.
 In this scenario both <b>carol</b> and <b>dave</b> initiate a tunnel to
 <b>moon</b> which has a named connection definition for each peer. Although
 the IP addresses of both <b>carol</b> and <b>dave</b> are stale, thanks to
-the <b>rightallowany=yes</b> flag <b>moon</b> will accept the IKE negotiations
-from the actual IP addresses.
+the '%' prefix <b>moon</b> will accept the IKE negotiations from the actual IP addresses.
 
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
index ba6f7bfe9..41123c9d6 100755
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
@@ -18,8 +18,7 @@ conn moon
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
-	right=moon.strongswan.org
-	rightallowany=yes
+	right=%moon.strongswan.org
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
index 792ddbb0e..2ba4db724 100755
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
@@ -18,8 +18,7 @@ conn moon
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
-	right=moon.strongswan.org
-	rightallowany=yes
+	right=%moon.strongswan.org
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
index 040bd078a..50c3a6a69 100755
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
@@ -19,15 +19,13 @@ conn %default
 	leftfirewall=yes
 
 conn carol
-	right=carol.strongswan.org
-	rightallowany=yes
+	right=%carol.strongswan.org
 	rightid=carol@strongswan.org
 	rightsubnet=PH_IP_CAROL1/32
 	auto=add
 
 conn dave
-	right=dave.strongswan.org
-	rightallowany=yes
+	right=%dave.strongswan.org
 	rightid=dave@strongswan.org
 	rightsubnet=PH_IP_DAVE1/32
 	auto=add