[Openswan Users] Re: NAT Traversal support with openswan (which draft version initiator/responder?)

Xiaoming Yu xiaoming at us.ibm.com
Fri Jun 18 11:03:55 CEST 2004 

Thank you all for all the answers provided. Looks like preshared key is not
a good option to deal with multiple clients. I read an article saying that
%any can be used in the ipsec.secrets file too, but no detail about it. Can
I use something like x.x.x.x %any: PSK "test". where x.x.x.x is the server
IP address? So when the Linux server tries to find an matching preshared
key, it always find a match here? I tried this but seems not work. Can
anybody shed some light on using %any in ipsec.secrets?

Another thing I saw confused me a lot. As I mentioned above, once I change
one IP to %any  in the secrets file, didn't work. Then I want to change
back to an IP address (the IP of NAT box), to cheat a little assuming then
it should find the match. But I still saw in the security log "cannot
authenticate, not preshared key found for x.x.x.x and %any" Obvious it
still remembers the old %any. I tried every thing I can think of
(delete/recreate a new file, reload the connection, restart openswan), but
sill not work. I haven't done a reboot, but I hope it is not necessary? Any
suggestion here?

Thanks so much again for any feedback?

Xiaoming Yu
Dept. MR6,  VPN Development
IBM Rochester, MN
Phone: (507)253-5829
Email: xiaoming at us.ibm.com





                                                                           
             Paul Wouters                                                  
             <paul at xelerance.c                                             
             om>                                                        To 
                                       Xiaoming Yu/Rochester/IBM at IBMUS     
             06/17/2004 06:03                                           cc 
             PM                        users at lists.openswan.org            
                                                                   Subject 
                                       Re: [Openswan Users]  Re: NAT       
                                       Traversal support with openswan     
                                       (which draft version                
                                       initiator/responder?)               
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




On Thu, 17 Jun 2004, Xiaoming Yu wrote:

> But what if the other system is non-Linux platform? I am not sure this
way
> of generating SA signature is universal, isn't it? Say is there a
> corresponding application or command I can run to generate the key on
other
> platforms?

Then for now you are stuck with X.509 certificates.

Perhaps IKEv2 fixes some of this. Michael?

Paul

More information about the Users mailing list