<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7638.1">
<TITLE>RE: [Openswan Users] Problem with multiple road-warriors and psk</TITLE>
</HEAD>
<BODY>
<DIV id=idOWAReplyText24777 dir=ltr>
<DIV dir=ltr><FONT face="courier new" color=#000000 size=2>Paul,</FONT></DIV>
<DIV dir=ltr><FONT face="courier new" color=#000000 size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="courier new" color=#000000 size=2>It are all linksys
routers, but also it can be other routers (like netopia). With a netopia it
is not possible to specify the id in main mode.</FONT></DIV>
<DIV dir=ltr><FONT face="Courier New" size=2>It is 1 openswan server and
muliptle routers (with a subnet behind).</FONT></DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" size=2>I think the Linksys routers uses a
modified freeswan version.</FONT></DIV>
<DIV dir=ltr><FONT face="Courier New" size=2></FONT> </DIV>
<DIV dir=ltr><FONT face="Courier New" size=2>Andy</FONT></DIV>
<DIV dir=ltr>
<HR tabIndex=-1>
</DIV>
<DIV dir=ltr><FONT face=Tahoma size=2><B>Van:</B> Paul Wouters
[mailto:paul@xelerance.com]<BR><B>Verzonden:</B> do 21/09/2006
19:23<BR><B>Aan:</B> Andy Van den Heede<BR><B>CC:</B>
users@openswan.org<BR><B>Onderwerp:</B> RE: [Openswan Users] Problem with
multiple road-warriors and psk<BR></FONT><BR></DIV></DIV>
<DIV>
<P><FONT size=2>On Thu, 21 Sep 2006, Andy Van den Heede wrote:<BR><BR>> How
should you configure the ipsec.conf and ipsec.secrets in this<BR>>
situation?<BR><BR>I am not sure I fully know your situation.<BR><BR>> Also
for a lot more connections?<BR><BR>If these are all linksys linux based ipsec
clients, I would use raw rsa<BR>keys, and not PSK. If these clients are windows
behind linksys'es, I<BR>would use an X.509 setup.<BR><BR>Paul<BR><BR>>
-----Oorspronkelijk bericht-----<BR>> Van: Paul Wouters [<A
href="mailto:paul@xelerance.com">mailto:paul@xelerance.com</A>]<BR>>
Verzonden: donderdag 21 september 2006 16:53<BR>> Aan: Andy Van den
Heede<BR>> CC: users@openswan.org<BR>> Onderwerp: RE: [Openswan Users]
Problem with multiple road-warriors and<BR>> psk<BR>><BR>> On Wed, 20
Sep 2006, Andy Van den Heede wrote:<BR>><BR>> > I did also a test with
two different leftid's. Also in main mode....<BR>> ><BR>> > But when
the linksys1 tries to build up the tunnel, the openswan tries<BR>> > to
bring up the tunnel 2.<BR>><BR>> If phase 1 is identical, then the name is
arbitrary and get switch<BR>> midway<BR>> the tunnel
setup.<BR>><BR>> > I use aggressive mode because it will be dynamic ip
addresses at the<BR>> > external side of the Linksys routers. The setup
now is a test network.<BR>><BR>> So? Aggressive mode is insecure, and
should only be used when forced my<BR>> stupid (read Cisco) setups. Avoid
aggressive mode at all cost.<BR>> Especially<BR>> with PSK, because it
allows for brute forcing the PSK. And even without<BR>> the brute forcing,
any client can pretend to be the gateway and get<BR>> further
credentials.<BR>><BR>> Paul<BR>><BR><BR>--<BR>Building and integrating
Virtual Private Networks with Openswan:<BR><A
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</A><BR>_______________________________________________________________________<BR><BR>Zin
in een slipcursus?<BR><BR>Kijk snel op <A
href="http://www.axsweb.be">http://www.axsweb.be</A><BR><BR></FONT></P></DIV>
</BODY>
</HTML>
________________________________________________________________________<br>
Zin in een slipcursus? <br>
Kijk snel op http://www.axsweb.be<br>