[Openswan Users] IPSec Aggressive Mode

Snitgen, John John.Snitgen at tnsi.com
Mon Dec 12 11:49:31 CET 2005


Hello,
I'm attempting to establish an IPSec tunnel from a Linux box to a Cisco that is using a Radius server for authentication.  

My questions:
When configured to use aggressive mode, is the 'left' parameter in ipsec.conf used as the Radius username?  Is the PSK secret in (ipsec.secrets) used as the password for Radius authentication?   Does 'rightid' need to be the IP address of the Radius server for my scenario?

Is XAUTH required?  From what info I have gathered, it appears that XAUTH is only required if the Radius Server requires a different password than the ipsec secret passphrase.

I am running OpenSwan 1.0.7

This is my ipsec.conf

	# /etc/ipsec/ipsec.conf - OpenSwan config file

	# basic configuration
	config setup
	        interfaces="ipsec0=ppp0"
	        klipsdebug=none
	        plutodebug=all
	        plutoload=%search
	        plutostart=%search

	conn %default
	        keylife=24h
	        ikelifetime=1h
	        rekeymargin=9m
	        rekeyfuzz=100%
	        authby=secret
	        auth=esp
	        dpddelay=30
	        dpdtimeout=60
	        dpdaction=hold

	conn LinuxToCisco
	        auto=add
	        #xauth=yes
	        ike=3des-sha
	        keyingtries=2
	        disablearrivalcheck=no
	        left=static_ip_address_of_Linux_box_ppp0_interface 
	        leftid=an_arbitrary_ip_address_that_matches_the Radius_server's_account_username
	        leftsubnet=static_ip_address_of_Linux_box_ppp0_interface/32
	        leftnexthop=gateway_ip_for_the_ppp0_static_ip
	        right=ip_address_of_Cisco_tunnel_endpoint
	        rightid=ip_address_of_Cisco_tunnel_endpoint
	        rightsubnet=xxx.xxx.xxx.0/24
	        aggrmode=yes
	        pfs=no


Thanks for any insight,

John
 
 
This e-mail message is for the sole use of the intended recipient(s) and may 
contain confidential and privileged information of Transaction NetworkServices.  
Any unauthorized review, use, disclosure or distribution isprohibited.  If you 
are not the intended recipient, please contact thesender by reply e-mail and 
destroy all copies of the original message.


More information about the Users mailing list