[Openswan Users] multiple authentication methods for road
warriors
Abdul-Wahid Paterson
abdulwahid at gmail.com
Tue Oct 12 14:56:23 CEST 2004
Hmm...back to openswan list ;)...whoops
Can anyone else verify if KAME under 2.6 will allow PSK and RSA
authentication for unknown peers (%any) ??
On Tue, 12 Oct 2004 07:33:24 -0400, John A. Sullivan III
<john.sullivan at nexusmgmt.com> wrote:
> I'm afraid that I've never tried them together so I can't help you
> there. I wonder if you'd be better off with 2.6 and KAME. I've
> generally been less impressed with the KAME user tools but perhaps they
> will allow you to do this.
>
> I did notice that this thread has somehow migrated over to the netfilter
> list. Shouldn't we be on the openswan list? - John
>
>
>
> On Tue, 2004-10-12 at 04:12, Abdul-Wahid Paterson wrote:
> > I first did a re-reead of my secrets and then I did the
> >
> > ipsec auto --add newvpn
> >
> > as you stated. It generates the error message:
> >
> > "023 authentication method disagrees with "somevpn", which is also for
> > an unspecified peer"
> >
> > That would indicate to me that you can't have two types of
> > authenticaiton methods for "unspecified peers". ie. when you use %any
> > to specify the other end of the link. Is that right?
> >
> > Abdul-Wahid
> >
> >
> > On Mon, 11 Oct 2004 19:21:35 -0400, John A. Sullivan III
> > <john.sullivan at nexusmgmt.com> wrote:
> > > Did you load the new connection?
> > > ipsec auto --add newvpn
> > > ipsec auto --up newvpn
> > > I think that's the syntax - John
> > >
> > >
> > >
> > > On Mon, 2004-10-11 at 18:15, Abdul-Wahid Paterson wrote:
> > > > That is what I have done....the "somevpn" is one of the other working
> > > > VPN connections in the ipsec.conf. I haven't tried to actually restart
> > > > ipsec....i just did a reread of the secrets file and add my new
> > > > connection profile which failed with the message stated in my previous
> > > > email.
> > > >
> > > > Regards,
> > > >
> > > > Abdul-Wahid
> > > >
> > > > On Mon, 11 Oct 2004 18:05:11 -0400, John A. Sullivan III
> > > > <john.sullivan at nexusmgmt.com> wrote:
> > > > >
> > > > >
> > > > > On Mon, 2004-10-11 at 17:47, Abdul-Wahid Paterson wrote:
> > > > > > Hi,
> > > > > >
> > > > > > On one of my VPN gateways I have about 25 VPNs with most of them
> > > > > > using RSA sig and a few using X.509. Probably 80% of my tunnels have
> > > > > > dynamic IPs on the other end so I have them specified as %any on my
> > > > > > VPN gateway conf file.
> > > > > >
> > > > > > That has all been working fine. I now though need to connect a Vigor
> > > > > > ADSL router which can only do PSK authentication. However, is it
> > > > > > possible to share PSK authentication along side RSA and X.509? When I
> > > > > > try I get the error message:
> > > > > >
> > > > > > 023 authentication method disagrees with "somevpn", which is also for
> > > > > > an unspecified peer
> > > > > >
> > > > > > Does this mean it can't be done? Is it a protocol or an implementation
> > > > > > limitation?
> > > > > <snip>
> > > > > Is "somevpn" your %any conn? If so, although I have never done it, I
> > > > > would think you could just create another conn, call it "somepsk" which
> > > > > also uses %any but specifies authby=secret rather than rsasig - John
> > > > > --
> > > > > John A. Sullivan III
> > > > > Chief Technology Officer
> > > > > Nexus Management
> > > > > +1 207-985-7880
> > > > > john.sullivan at nexusmgmt.com
> > > > > ---
> > > > > If you are interested in helping to develop a GPL enterprise class
> > > > > VPN/Firewall/Security device management console, please visit
> > > > > http://iscs.sourceforge.net
> > > > >
> > > > >
> > >
> > >
> > > --
> > > John A. Sullivan III
> > > Chief Technology Officer
> > > Nexus Management
> > > +1 207-985-7880
> > > john.sullivan at nexusmgmt.com
> > >
> > >
>
>
> --
> John A. Sullivan III
> Chief Technology Officer
> Nexus Management
> +1 207-985-7880
> john.sullivan at nexusmgmt.com
>
>
More information about the Users
mailing list