[Openswan Users] [Bulk] Re: %defaultroute equivalent for ipsec.secrets

[Andy Gay]

On Mon, 2006-09-18 at 17:32 +0200, Paul Wouters wrote:
> On Mon, 18 Sep 2006, Andy Gay wrote:
> 
> > (please copy the mailing list when you send reports like this)
> 
> Indeed people. Keep using the list, so others can find it in the archive or
> google. If you want private answers, hire a consultant.

I can quote a rate :)

> 
> > > : PSK "pre-shared_secret"
> > > works and is OK because I always connect to the same VPN
> > > gateway. Otherwise, couldn't this cause a problem?
> > >
> > Yes. It would require you to use the same PSK for all gateways.
> 
> Which is needed on the server side anyway for all roadwarriors
> using the same conn. With PSK you get what you deserve. It does
> not scale. Use X.509 if you need to scale.
> 
> > > then, I get the error "Can't authenticate: no
> > > preshared key found for `192.168.0.101' and `xxx.xxx.xxx.xxx'."
> > >
> > > I tried these before. It appears that I have interpreted the
> > > man page correctly. But the program simply doesn't work that
> > > way. I am using Openswan version 2.4.4 on Fedora Core 5.
> > > Perhaps I have found a bug?
> 
> Did you restart openswan after editing ipsec.secrets, or ran the
> command "ipsec secrets" to reload them?

Good point. Shouldn't that be 'ipsec auto --rereadsecrets' though? Or is
'ipsec secrets' shorthand for that?

Here's a thing though - I just read the ipsec.secrets manpage again, and
actually it's working as documented. Here's the relevant section:

       To  authenticate  a connection between two hosts, the entry that most specifically matches the host and peer IDs is
       used.  An entry with no index will match any host and peer.  More specifically, an entry with one index will  match
       a  host and peer if the index matches the host's ID (the peer isn't considered).

Which is what seems to be happening here - it's not looking at the
gateway's address. So perhaps this isn't a bug but a (mis-)feature....