[Openswan dev] Aggressive Mode and multiple tunnels with different PSK
frank.a.eberle at googlemail.com
Tue Jul 7 02:31:13 EDT 2009
>> I've tried to setup multiple tunnels using aggressive mode with
>> different PSKs. It seems that this does not work. I've searched for a
>> solution and found the following patch
> Looking at the fist hunk, I am a little confused about the "shared" nature
> and the printing being wrong. Perhaps Hugh can share some light on that,
> and wether the hunk is right?
> As for the second part, I am not sure what the implications are without
> doing some more research.
>> Does anybody know if this patch has negative impacts on the security
>> or stability of PLUTO? I'm wondering why the official code does not
>> allow this kind of setup. Some vendors of IPSec gateways allow
>> different tunnels with PSK and aggressive mode.
> I thought this was working already? Are you specifying right/left ids in
> your conn that are not just the ip itself?
> Thanks for pointing out the patch, it definately needs some closer
below you can see my configuration. Without the patch the
configuration is not working (only "tunnel1" is working). With the
patch applied I'm able to use "tunnel1" and "tunnel2". Both tunnels
use fqdn as the IPSec ID. If I'm understanding aggressive mode
correctly, the IPSec ID is transmitted unencrypted. So PLUTO should be
able select the corresponding tunnel definition and PSK.
-- start ipsec.conf --
plutodebug="control emitting parsing"
strictcrlpolicy = no
-- end ipsec.conf --
-- start PSK --
@sys1.network.local @sys2.network.local: PSK "foo"
@sys1.network.local @sys3.network.local: PSK "bar"
-- end PSK --
More information about the Dev