[Openswan Users] [Bulk] Re: %defaultroute equivalent for ipsec.secrets
andy at andynet.net
Mon Sep 18 11:47:18 EDT 2006
On Mon, 2006-09-18 at 17:32 +0200, Paul Wouters wrote:
> On Mon, 18 Sep 2006, Andy Gay wrote:
> > (please copy the mailing list when you send reports like this)
> Indeed people. Keep using the list, so others can find it in the archive or
> google. If you want private answers, hire a consultant.
I can quote a rate :)
> > > : PSK "pre-shared_secret"
> > > works and is OK because I always connect to the same VPN
> > > gateway. Otherwise, couldn't this cause a problem?
> > >
> > Yes. It would require you to use the same PSK for all gateways.
> Which is needed on the server side anyway for all roadwarriors
> using the same conn. With PSK you get what you deserve. It does
> not scale. Use X.509 if you need to scale.
> > > then, I get the error "Can't authenticate: no
> > > preshared key found for `192.168.0.101' and `xxx.xxx.xxx.xxx'."
> > >
> > > I tried these before. It appears that I have interpreted the
> > > man page correctly. But the program simply doesn't work that
> > > way. I am using Openswan version 2.4.4 on Fedora Core 5.
> > > Perhaps I have found a bug?
> Did you restart openswan after editing ipsec.secrets, or ran the
> command "ipsec secrets" to reload them?
Good point. Shouldn't that be 'ipsec auto --rereadsecrets' though? Or is
'ipsec secrets' shorthand for that?
Here's a thing though - I just read the ipsec.secrets manpage again, and
actually it's working as documented. Here's the relevant section:
To authenticate a connection between two hosts, the entry that most specifically matches the host and peer IDs is
used. An entry with no index will match any host and peer. More specifically, an entry with one index will match
a host and peer if the index matches the host's ID (the peer isn't considered).
Which is what seems to be happening here - it's not looking at the
gateway's address. So perhaps this isn't a bug but a (mis-)feature....
More information about the Users