[Openswan Users] [Bulk] Re: %defaultroute equivalent for ipsec.secrets

[Andy Gay]

On Mon, 2006-09-18 at 06:08 -0400, Jonathan Coles wrote:
> 
(please copy the mailing list when you send reports like this)

> Andy Gay wrote:
> > Just don't specify your address. E.g.
> > xxx.xxx.xxx.xxx : PSK "pre-shared_secret"
> > 
> > or even just
> > : PSK "pre-shared_secret"
> > 
> > will work.
> 
> : PSK "pre-shared_secret"
> works and is OK because I always connect to the same VPN 
> gateway. Otherwise, couldn't this cause a problem?
> 
Yes. It would require you to use the same PSK for all gateways.

> If I specify
> xxx.xxx.xxx.xxx : PSK "pre-shared_secret"
> or
> xxx.xxx.xxx.xxx 0.0.0.0 : PSK "pre-shared_secret"
> 
> then, I get the error "Can't authenticate: no
> preshared key found for `192.168.0.101' and `xxx.xxx.xxx.xxx'."
> 
> I tried these before. It appears that I have interpreted the 
> man page correctly. But the program simply doesn't work that 
> way. I am using Openswan version 2.4.4 on Fedora Core 5. 
> Perhaps I have found a bug?

Sounds like you may have.
It's probably not a common configuration though for a RW to have
multiple gateways using PSK. Maybe that's why it wasn't noticed before.

> > 
> >> I tried %any as mentioned in the ipsec.secrets man page, but 
> >> it doesn't work. Error message: "Can't authenticate: no 
> >> preshared key found for `192.168.0.101' and `xxx.xxx.xxx.xxx'."

As long as the `xxx.xxx.xxx.xxx' in the error message is EXACTLY what
you have in ipsec.secrets, then I suspect this is a bug.

You should open a bug report on this. Go to
http://www.openswan.org/support/ and follow the 'Bug Reports' links.


> >>
> >> Have I misunderstood something?
> >> _______________________________________________
> >> Users at openswan.org
> >> http://lists.openswan.org/mailman/listinfo/users
> >> Building and Integrating Virtual Private Networks with Openswan: 
> >> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >>
> > 
> > 
>