[Openswan Users] Re: NAT Traversal support with openswan (which
draft version initiator/responder?)
Xiaoming Yu
xiaoming at us.ibm.com
Thu Jun 17 17:01:32 CEST 2004
One more comment on this subject. Even when we decide to use certificate
with leftid, rightid, if this is still a client server scenario, and I have
multiple clients. On the server side, do i have to set up multiple
connections in the config file, one for each client with unique
certificate? Is that just easier to use one preshared key, at least fro
testing? I know in real life, probably worth it because of the security
benefit.
Thanks.
Xiaoming
Paul Wouters
<paul at xelerance.c
om> To
Michael Richardson
06/17/2004 03:48 <mcr at sandelman.ottawa.on.ca>
PM cc
Xiaoming Yu/Rochester/IBM at IBMUS,
users at lists.openswan.org
Subject
Re: [Openswan Users] Re: NAT
Traversal support with openswan
(which draft version
initiator/responder?)
On Thu, 17 Jun 2004, Michael Richardson wrote:
> >>>>> "Xiaoming" == Xiaoming Yu <xiaoming at us.ibm.com> writes:
> Xiaoming> I tried %any in the config file and it found a connection
> Xiaoming> and went a step further. But it failed to find the
> Xiaoming> preshared key in the ipsec.secrets because I am stilling
> Xiaoming> using the private IP there. Previous argument will apply
>
> Don't use PSK with NAT-T.
>
> Use pre-exchanged RSA-keys, or X.509 only.
And if you use a rightid and leftid, the connections will be found
regardless of the IP and wether or not the connection is NATed.
Paul
More information about the Users
mailing list