[Openswan Users] how does this mean in man page of ipsec.secrets

Paul Wouters paul at xelerance.com
Thu Nov 9 22:33:30 EST 2006


On Thu, 9 Nov 2006, Hu fangzheng wrote:

>        " An  additional  complexity  arises  in the case of authentication by preshared secret: the
>        responder will need to look up the secret before the Peer's ID payload has  been  decoded,
>        so the ID used will be the IP address."
>
> how does this mean?

You can only use IP addresses for PSK in ipsec.secrets, not rightid= or
leftid= values (eg "@myhost.name")

So this works:

1.2.3.4 5.6.7.8 : PSK "secret"

this too:

0.0.0.0 1.2.3.4 : PSK "secret"

this should work too:

%any 1.2.3.4 : PSK "secret"

this does not work:

@my.hostname @your.hosr.name : PSK "secret"

the result is that if you use PSK with roadwarriors, you cannot distinguish them
by rightid=, and since you cannot distinguish them by IP (because they are
dynamic IP roadwarriors), you can only have ONE PSK for them all.

The preferred solution is to not use PSKs, but RSA keys and/or X.509 certificates.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list