[Openswan Users] [Bulk] Re: %defaultroute equivalent for ipsec.secrets

Jonathan Coles jcoles0727 at rogers.com
Mon Sep 18 13:21:55 EDT 2006

I meant to say, "But I can define a PSK definition with 
information about *neither* end and it works just fine.
That doesn't make sense to me."

Jonathan Coles wrote:
> I used "Reply All" so that the list is CC'd. Thanks for the 
> reminder.
> I reloaded the secrets each time I changed the secrets file.
> Andy Gay wrote:
>> Here's a thing though - I just read the ipsec.secrets manpage again, and
>> actually it's working as documented. Here's the relevant section:
>>        To  authenticate  a connection between two hosts, the entry that most specifically matches the host and peer IDs is
>>        used.  An entry with no index will match any host and peer.  More specifically, an entry with one index will  match
>>        a  host and peer if the index matches the host's ID (the peer isn't considered).
>> Which is what seems to be happening here - it's not looking at the
>> gateway's address. So perhaps this isn't a bug but a (mis-)feature....
> I found that section unclear. I have yet to find a clear 
> distinction between "host" and "peer". Which am I?
> If the "host" is the VPN gateway, and the peer (my end) 
> isn't considered, there should be no problem. The error 
> message, though, shows that Openswan is looking for a PSK 
> definition that includes my specific IP address. But I can 
> define a PSK definition with information about either end 
> and it works just fine. That doesn't make sense to me.
> That man page also mentions the %any value, which doesn't 
> solve the problem either.
> As my original question said, all I really need is a magic 
> value like %defaultroute so that I can insert my current IP 
> into the ipsec.secrets definition. Perhaps this is a feature 
> request more than a bug.
> Thanks for your help.
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list