[Openswan Users] re: Openswan Road warriors and Netscreen vpn

Nico Baggus mlfreeswan at noci.xs4all.nl
Wed Jun 22 00:51:21 CEST 2005

On Tuesday 21 June 2005 19:37, Ric Stuebs wrote:
> We have a number of mobile users with linux laptops that would like to
> connect to our Netscreen 500 with OpenSwan. These particular users need to
> use PSK.

Are you sure you want to have mobile users using a PSK?
If one laptop gets compromised/stolen you need to change ALL PSK's ASAP.
that is because with a roaming profile you will use ONE profile for all remote 
users. I'm not exactly sure if netscreen has a revocation list in that case a 
certificate is musch safer, you just disable the certificate for the laptop 
in question. 

If you need a tool for manageing certificates maybe tinyCA might be of help.

Kind regards,
Nico Baggus

My ipsec.conf goes along:

conn to_netscreen
        left=<My Ip Address>
        leftsourceip=<Use my inside address for access to the gateway itself>

and the Key.... is in ipsec.secrets ....

On the netscreen you need (as the remote address is unknown as the 
remote address, and therefore you can only use one key for all connections.)

More information about the Users mailing list