[Openswan Users] multiple authentication methods for road
warriors
Abdul-Wahid Paterson
abdulwahid at gmail.com
Tue Oct 12 17:48:59 CEST 2004
I now have a work around (works for me type fix) for the problem I was facing.
I setup a dynamic dns service on the vigor router and on the linux
openswan end specified the remote connection as the dynamic dns name
rather than as %any.
I then wrote a small shell script that checks to see if the IP has
changed and if it has it reloads the IPSec profile for the vigor box.
It seems to work quite well and even when the IP changes it reloads in
a matter of seconds. Since the IP is only likely to change once a
month or so I am not too bothered about a few seconds down on my VPN
as the profile gets changed.
So now I can have PSK and RSA authentication running side by side again.
Thanks for everyones help. If anyone wants to know anything about how
I got the Vigor working then email me personally and copy it to the
list.
Regards,
Abdul-Wahid
On Tue, 12 Oct 2004 13:56:23 +0100, Abdul-Wahid Paterson
<abdulwahid at gmail.com> wrote:
> Hmm...back to openswan list ;)...whoops
>
> Can anyone else verify if KAME under 2.6 will allow PSK and RSA
> authentication for unknown peers (%any) ??
>
> On Tue, 12 Oct 2004 07:33:24 -0400, John A. Sullivan III
> <john.sullivan at nexusmgmt.com> wrote:
> > I'm afraid that I've never tried them together so I can't help you
>
>
> > there. I wonder if you'd be better off with 2.6 and KAME. I've
> > generally been less impressed with the KAME user tools but perhaps they
> > will allow you to do this.
> >
> > I did notice that this thread has somehow migrated over to the netfilter
> > list. Shouldn't we be on the openswan list? - John
> >
> >
> >
> > On Tue, 2004-10-12 at 04:12, Abdul-Wahid Paterson wrote:
> > > I first did a re-reead of my secrets and then I did the
> > >
> > > ipsec auto --add newvpn
> > >
> > > as you stated. It generates the error message:
> > >
> > > "023 authentication method disagrees with "somevpn", which is also for
> > > an unspecified peer"
> > >
> > > That would indicate to me that you can't have two types of
> > > authenticaiton methods for "unspecified peers". ie. when you use %any
> > > to specify the other end of the link. Is that right?
> > >
> > > Abdul-Wahid
> > >
> > >
> > > On Mon, 11 Oct 2004 19:21:35 -0400, John A. Sullivan III
> > > <john.sullivan at nexusmgmt.com> wrote:
> > > > Did you load the new connection?
> > > > ipsec auto --add newvpn
> > > > ipsec auto --up newvpn
> > > > I think that's the syntax - John
> > > >
> > > >
> > > >
> > > > On Mon, 2004-10-11 at 18:15, Abdul-Wahid Paterson wrote:
> > > > > That is what I have done....the "somevpn" is one of the other working
> > > > > VPN connections in the ipsec.conf. I haven't tried to actually restart
> > > > > ipsec....i just did a reread of the secrets file and add my new
> > > > > connection profile which failed with the message stated in my previous
> > > > > email.
> > > > >
> > > > > Regards,
> > > > >
> > > > > Abdul-Wahid
> > > > >
> > > > > On Mon, 11 Oct 2004 18:05:11 -0400, John A. Sullivan III
> > > > > <john.sullivan at nexusmgmt.com> wrote:
> > > > > >
> > > > > >
> > > > > > On Mon, 2004-10-11 at 17:47, Abdul-Wahid Paterson wrote:
> > > > > > > Hi,
> > > > > > >
> > > > > > > On one of my VPN gateways I have about 25 VPNs with most of them
> > > > > > > using RSA sig and a few using X.509. Probably 80% of my tunnels have
> > > > > > > dynamic IPs on the other end so I have them specified as %any on my
> > > > > > > VPN gateway conf file.
> > > > > > >
> > > > > > > That has all been working fine. I now though need to connect a Vigor
> > > > > > > ADSL router which can only do PSK authentication. However, is it
> > > > > > > possible to share PSK authentication along side RSA and X.509? When I
> > > > > > > try I get the error message:
> > > > > > >
> > > > > > > 023 authentication method disagrees with "somevpn", which is also for
> > > > > > > an unspecified peer
> > > > > > >
> > > > > > > Does this mean it can't be done? Is it a protocol or an implementation
> > > > > > > limitation?
> > > > > > <snip>
> > > > > > Is "somevpn" your %any conn? If so, although I have never done it, I
> > > > > > would think you could just create another conn, call it "somepsk" which
> > > > > > also uses %any but specifies authby=secret rather than rsasig - John
> > > > > > --
> > > > > > John A. Sullivan III
> > > > > > Chief Technology Officer
> > > > > > Nexus Management
> > > > > > +1 207-985-7880
> > > > > > john.sullivan at nexusmgmt.com
> > > > > > ---
> > > > > > If you are interested in helping to develop a GPL enterprise class
> > > > > > VPN/Firewall/Security device management console, please visit
> > > > > > http://iscs.sourceforge.net
> > > > > >
> > > > > >
> > > >
> > > >
> > > > --
> > > > John A. Sullivan III
> > > > Chief Technology Officer
> > > > Nexus Management
> > > > +1 207-985-7880
> > > > john.sullivan at nexusmgmt.com
> > > >
> > > >
> >
> >
> > --
> > John A. Sullivan III
> > Chief Technology Officer
> > Nexus Management
> > +1 207-985-7880
> > john.sullivan at nexusmgmt.com
> >
> >
>
More information about the Users
mailing list