[Openswan dev] Road warrior in aggressive mode can not use %any entry in ipsec.secrets if rightid (other than IP) is specified
paul at xelerance.com
Wed Dec 10 10:14:24 EST 2008
On Wed, 10 Dec 2008, hiren joshi wrote:
> If rightid is other than IP address type, Openswan do not allow
> Aggressive mode connections to use %any entry in ipsec.secrets.
That's right. From the man page:
In the case of a âRoad Warriorâ connection, if an equal match
is not found for the PeerÂ´s ID, and it is in the form of an IP
address, an index of %any will match the peerÂ´s IP address if
IPV4 and %any6 will match a the peerÂ´s IP address if IPV6.
> My guess is as in aggressive mode ID is sent in plain, it is to
> prevent an existing road warrior user to use other user's ID.
The only reason for using Aggressive Mode instead of Main Mode,
is that you can specify the ID early enough to give different
PSK's to each roadwarrior. If you are going to use the same PSK
for everyone, you might as well use Main Mode.
More information about the Dev