[Openswan Users] Openswan 2.3 with multiple remote networks that are dynamic

Paul Wouters paul at xelerance.com
Fri Jun 24 06:37:41 CEST 2005

On Thu, 23 Jun 2005, Kristopher Lalletti wrote:

> I've got a particular network scenario to which I wanted to validate and see if its actually feasible.  Essentially,
> we're talking about several remote networks terminated with IPSEC gateways to which their IP address is dynamic. All
> these remote networks actively initiate a connection to connect to OpenSwan  (central node) via Phase1-Aggressive mode
> with PSK and local/remote peer id's.

I would definately not recommend this scenario.
When connecting to an openswan server, aggressive mode should never be used. Use main mode instead.
Using dynamic IP with PSK is tricky. You will need to specify the proper ID's. I do not think this is
even possible combined with aggressive mode.
> I've got one to connect successfully, having my right=%any , however, when I start adding several tunnel/peer
> definitions in /etc/ipsec.conf, only the first peer declaration is used, and evidently, nothing works.  Any
> suggestions to getting this scenario working would be greatly appreciated.  So far, I'm thinking of having a remote
> trigger, that would detect the remote peer IP address (via a web service), and re-write/update the ipsec.conf to
> substitute the %any with the remote peer IP, and reload that connection definition.  But, there must be a more elegant
> solution that that!

Clearly, that is not the way to go.
Instead, check what features your leave-node IPsec devices have, and use them to create roadwarrior-type setups.


More information about the Users mailing list