[Openswan Users] Re: NAT Traversal support with openswan (which
draft version initiator/responder?)
Nate Carlson
natecars at natecarlson.com
Fri Jun 18 11:26:27 CEST 2004
On Fri, 18 Jun 2004, Xiaoming Yu wrote:
> Thank you all for all the answers provided. Looks like preshared key is
> not a good option to deal with multiple clients.
Very true - I avoid PSK if at all possible, and use X.509.
> I read an article saying that %any can be used in the ipsec.secrets file
> too, but no detail about it. Can I use something like x.x.x.x %any: PSK
> "test". where x.x.x.x is the server IP address? So when the Linux server
> tries to find an matching preshared key, it always find a match here? I
> tried this but seems not work. Can anybody shed some light on using %any
> in ipsec.secrets?
That should work fine. What error do you get?
> Another thing I saw confused me a lot. As I mentioned above, once I
> change one IP to %any in the secrets file, didn't work. Then I want to
> change back to an IP address (the IP of NAT box), to cheat a little
> assuming then it should find the match. But I still saw in the security
> log "cannot authenticate, not preshared key found for x.x.x.x and %any"
> Obvious it still remembers the old %any. I tried every thing I can think
> of (delete/recreate a new file, reload the connection, restart
> openswan), but sill not work. I haven't done a reboot, but I hope it is
> not necessary? Any suggestion here?
Hmm, that's odd - are you still referencing %any in ipsec.conf, or did you
also change it to the remote IP?
> Dept. MR6, VPN Development
> IBM Rochester, MN
Hey, neat, a couple hours southeast of me. :)
------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
| depriving some poor village of its idiot since 1981 |
------------------------------------------------------------------------
More information about the Users
mailing list