[Openswan dev] Aggressive Mode and multiple tunnels with different PSK

Frank Eberle frank.a.eberle at googlemail.com
Tue Jul 7 02:31:13 EDT 2009 

Hello,

>> I've tried to setup multiple tunnels using aggressive mode with
>> different PSKs. It seems that this does not work. I've searched for a
>> solution and found the following patch
>>
>> http://lists.openswan.org/pipermail/dev/2009-April/002069.html
>
> Looking at the fist hunk, I am a little confused about the "shared" nature
> and the printing being wrong. Perhaps Hugh can share some light on that,
> and wether the hunk is right?
>
> As for the second part, I am not sure what the implications are without
> doing some more research.
>
>> Does anybody know if this patch has negative impacts on the security
>> or stability of PLUTO? I'm wondering why the official code does not
>> allow this kind of setup. Some vendors of IPSec gateways allow
>> different tunnels with PSK and aggressive mode.
>
> I thought this was working already? Are you specifying right/left ids in
> your conn that are not just the ip itself?
>
> Thanks for pointing out the patch, it definately needs some closer
> examination.
>
> Paul

below you can see my configuration. Without the patch the
configuration is not working (only "tunnel1" is working). With the
patch applied I'm able to use "tunnel1" and "tunnel2". Both tunnels
use fqdn as the IPSec ID. If I'm understanding aggressive mode
correctly, the IPSec ID is transmitted unencrypted. So PLUTO should be
able select the corresponding tunnel definition and PSK.

-- start ipsec.conf --
config setup
	interfaces="ipsec0=eth1"
	klipsdebug=none
	plutodebug="control emitting parsing"
	pluto=yes
	forwardcontrol=yes
	uniqueids=no
	hidetos=yes
	manualstart=""
	strictcrlpolicy = no


conn block
	auto=ignore

conn private
	auto=ignore

conn private-or-clear
	auto=ignore

conn clear-or-private
	auto=ignore

conn clear
	auto=ignore

conn packetdefault
	auto=ignore
conn tunnel1
	type=tunnel
	keyingtries=1
	authby=secret
	pfs=no
	compress=no
	keylife=3600
	ikelifetime=7800
	ike=3des-md5-modp1024
	auth=esp
	esp=3des-md5
	left=192.168.11.12
	auto=add
	right=%any
	aggrmode=yes
	leftsubnet=10.0.0.0/24
	rightsubnet=10.0.1.0/24
	leftid=@sys1.network.local
	rightid=@sys2.network.local


conn tunnel2
	type=tunnel
	keyingtries=1
	authby=secret
	pfs=no
	compress=no
	keylife=3600
	ikelifetime=7800
	ike=3des-md5-modp1024
	auth=esp
	esp=3des-md5
	left=192.168.11.12
	auto=add
	right=%any
	aggrmode=yes
	leftsubnet=10.0.0.0/24
	rightsubnet=10.0.2.0/24
	leftid=@sys1.network.local
	rightid=@sys3.network.local
-- end ipsec.conf --

-- start PSK --
@sys1.network.local @sys2.network.local: PSK "foo"
@sys1.network.local @sys3.network.local: PSK "bar"
-- end PSK --


Best regards

Frank

More information about the Dev mailing list