[Openswan Users] Re: NAT Traversal support with openswan

Xiaoming Yu xiaoming at us.ibm.com
Mon Jun 21 10:36:17 CEST 2004 

Nate:

I just saw your reply. Your email was not replied to me, so I didn't see it
until I read the daily digest. Sorry for the delay.

Here is the answer to your question. This is the error message I received
if I used %any in the ipsec.secrets file

Jun 21 09:04:52 vpn pluto[19843]: | looking for secret
for 9.10.109.122->9.5.56.160 of kind PPK_PSK
Jun 21 09:04:52 vpn pluto[19843]: "test"[2] 9.5.56.160
#2: Can't authenticate: no preshared key found for
`9.10.109.122' and `%any'.  Attribute
OAKLEY_AUTHENTICATION_METHOD

You can see it thinks 9.5.56.160 doesn't match the %any for some reason.

For your second question, yes, I still used %any in my ipsec.conf file. It
used to work without NAT. Now I changed from %any to 9.5.56.160 in the
secrets file, but still got the same error above. That is why I said the
old secrets is still remembered. So odd!

This is part of my conf file for your reference. This is host to host
scenario

conn test
        type=tunnel
        left=%any
        #leftnexthop=%defaultroute
        #leftsubnet=9.5.56.160/32
        right=9.10.109.122
        rightnexthop=%defaultroute
        #rightsubnet=9.10.109.122/32
        rekey=yes
        auth=esp

Any comment? From anybody?

Thanks so much.

Xiaoming

Message: 4
Date: Fri, 18 Jun 2004 10:26:27 -0500 (CDT)
From: Nate Carlson <natecars at natecarlson.com>
Subject: Re: [Openswan Users]  Re: NAT Traversal support with openswan
             (which draft version initiator/responder?)
To: users at lists.openswan.org
Message-ID:
             <Pine.LNX.4.58.0406181022570.17985
@conformity.technicality.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Fri, 18 Jun 2004, Xiaoming Yu wrote:
> Thank you all for all the answers provided. Looks like preshared key is
> not a good option to deal with multiple clients.

Very true - I avoid PSK if at all possible, and use X.509.

> I read an article saying that %any can be used in the ipsec.secrets file
> too, but no detail about it. Can I use something like x.x.x.x %any: PSK
> "test". where x.x.x.x is the server IP address? So when the Linux server
> tries to find an matching preshared key, it always find a match here? I
> tried this but seems not work. Can anybody shed some light on using %any
> in ipsec.secrets?

That should work fine.  What error do you get?

> Another thing I saw confused me a lot. As I mentioned above, once I
> change one IP to %any in the secrets file, didn't work. Then I want to
> change back to an IP address (the IP of NAT box), to cheat a little
> assuming then it should find the match. But I still saw in the security
> log "cannot authenticate, not preshared key found for x.x.x.x and %any"
> Obvious it still remembers the old %any. I tried every thing I can think
> of (delete/recreate a new file, reload the connection, restart
> openswan), but sill not work. I haven't done a reboot, but I hope it is
> not necessary? Any suggestion here?

Hmm, that's odd - are you still referencing %any in ipsec.conf, or did you
also change it to the remote IP?

> Dept. MR6,  VPN Development
> IBM Rochester, MN

Hey, neat, a couple hours southeast of me.  :)

------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
|       depriving some poor village of its idiot since 1981            |
------------------------------------------------------------------------

Xiaoming Yu
Dept. MR6,  VPN Development
IBM Rochester, MN
Phone: (507)253-5829
Email: xiaoming at us.ibm.com

More information about the Users mailing list