[strongSwan] Single ipsec.conf template that can handle NAT and non-NAT configuration at the same time

[Ansis Atteka]

Lets say that I want to use the same ipsec.conf template on both
peers. One of the peers could be behind a NAT (in that case I do not
know in advance to which IP address it will be NATed). Also, sometimes
both peers might be connected directly without any NATs. The same
template should support both deployments.

Now I came up with this ipsec.conf template that looks something like:

config setup
    charonstart=yes
    plutostart=no

conn %default
        keyingtries=%forever
        type=tunnel
        installpolicy=no
        keyexchange=ikev2

conn remote-<peer>
        reqid=1
        left=%any
        leftcert=/client-cert.pem
        rightcert=/<peer>.pem

conn remote-<peer>-direct
        also=remote-<peer>
        auto=start
        right=<peer>

conn remote-<peer>-nat-initiator
        also=remote-<peer>
        auto=start
        right=<peer>
        leftsourceip=%config

conn remote-<peer>-nat-responder
        also=remote-<peer>
        auto=start
        right=%any
        rightsourceip=<peer>


Is it possible to merge all these "conn" entries into a single "conn"
entry so that it would still support NAT and non-NAT deployment?
Otherwise, on the responder, if remote-<peer>-nat-responder was
negotiated, then the remote-<peer>-direct and
remote-<peer>-nat-initiator would still pointlessly be stuck in
"CONNECTING" state...

I tried to experiment with rightallowany=yes, but that made strongswan
stuck in IKE negotiation, because, I guess, it uses NATed IP address
to find proposal, but it couldn't find any.

Best regards,
Ansis