[Openswan Users] Re: NAT Traversal support with openswan
Nate Carlson
natecars at natecarlson.com
Mon Jun 21 10:59:18 CEST 2004
On Mon, 21 Jun 2004, Xiaoming Yu wrote:
> I just saw your reply. Your email was not replied to me, so I didn't see
> it until I read the daily digest. Sorry for the delay.
Yeah, I tend to strip off the second receipient of the message - I don't
like getting multiple copies (even though Procmail handles it nicely), so
I also tend to strip off secondary recipients when sending mail. I've
left you on this one, though. :)
> Here is the answer to your question. This is the error message I received
> if I used %any in the ipsec.secrets file
>
> Jun 21 09:04:52 vpn pluto[19843]: | looking for secret for 9.10.109.122->9.5.56.160 of kind PPK_PSK
> Jun 21 09:04:52 vpn pluto[19843]: "test"[2] 9.5.56.160 #2: Can't authenticate: no preshared key found for `9.10.109.122' and `%any'. Attribute OAKLEY_AUTHENTICATION_METHOD
>
> You can see it thinks 9.5.56.160 doesn't match the %any for some reason.
>
> For your second question, yes, I still used %any in my ipsec.conf file.
> It used to work without NAT. Now I changed from %any to 9.5.56.160 in
> the secrets file, but still got the same error above. That is why I said
> the old secrets is still remembered. So odd!
If you change %any to 9.5.56.160 in ipsec.conf does it take care of it?
I believe the entries need to match between ipsec.conf and ipsec.secrets
in any case.
I'd still tend to go RSA or X.509. :)
------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
| depriving some poor village of its idiot since 1981 |
------------------------------------------------------------------------
More information about the Users
mailing list