[Openswan dev] Road warrior in aggressive mode can not use %any entry in ipsec.secrets if rightid (other than IP) is specified

Paul Wouters paul at xelerance.com
Wed Dec 10 10:14:24 EST 2008

On Wed, 10 Dec 2008, hiren joshi wrote:

> If rightid is other than IP address type, Openswan do not allow
> Aggressive mode connections to use %any entry in ipsec.secrets.

That's right. From the man page:

	In the case of a “Road Warrior” connection, if an equal match
	is not found for the Peer´s ID, and it is in the form of an IP
	address, an index of %any will match the peer´s IP address if
	IPV4 and %any6 will match a the peer´s IP address if IPV6.

> My guess is as in aggressive mode ID is sent in plain, it is to
> prevent an existing road warrior user to use other user's ID.

The only reason for using Aggressive Mode instead of Main Mode,
is that you can specify the ID early enough to give different
PSK's to each roadwarrior. If you are going to use the same PSK
for everyone, you might as well use Main Mode.


More information about the Dev mailing list