[Openswan Users] how does this mean in man page of ipsec.secrets
Paul Wouters
paul at xelerance.com
Thu Nov 9 22:33:30 EST 2006
On Thu, 9 Nov 2006, Hu fangzheng wrote:
> " An additional complexity arises in the case of authentication by preshared secret: the
> responder will need to look up the secret before the Peer's ID payload has been decoded,
> so the ID used will be the IP address."
>
> how does this mean?
You can only use IP addresses for PSK in ipsec.secrets, not rightid= or
leftid= values (eg "@myhost.name")
So this works:
1.2.3.4 5.6.7.8 : PSK "secret"
this too:
0.0.0.0 1.2.3.4 : PSK "secret"
this should work too:
%any 1.2.3.4 : PSK "secret"
this does not work:
@my.hostname @your.hosr.name : PSK "secret"
the result is that if you use PSK with roadwarriors, you cannot distinguish them
by rightid=, and since you cannot distinguish them by IP (because they are
dynamic IP roadwarriors), you can only have ONE PSK for them all.
The preferred solution is to not use PSKs, but RSA keys and/or X.509 certificates.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list