[Openswan dev] does the openswan support using PSKs over a NAT-ed connection between two openswan linux server?

[Michael Richardson]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Richard" == Richard Cai <richardc at sz.webex.com> writes:
    Richard> Hi all,

    Richard>         does the openswan2.2.0 support using PSKs over a
    Richard> NAT-ed connection between two openswan linux server?

  If both ends are NAT-ed and on random IPs, then you can't do any kind
of connection.
  At least one end has to remain stationary, period.

  Once you have that, then the other end appears to be a road warrior,
which means that you can generally support only one RW using PSK and
Main Mode.
  You could do this with aggressive mode, but I wouldn't.

  But, there is simply ZERO reason to use PSK in your situation.
  "ipsec showhostkey --left"
  "ipsec showhostkey --right"

  and then cut&paste, and use RSA authentication, and you will be much
better success.

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQYsF+YqHRg3pndX9AQFuqAQAvKcr27SbsH5pZhOHi+j97kPpwarGnJAG
2T/SDPXpsSFdhAj8zg3L7n8vaOGEPnCUQCSYn2Sr3BSUl0hPbExXbsjnCe3jzYV1
RGx/P1CcUh8CTwWHVgRgllaIShgP29+p4rjvXeRESPC95L4qiTT/xzy+hFKXUH/I
S9466JFwIZY=
=FpZe
-----END PGP SIGNATURE-----