[Openswan Users] Problem with multiple road-warriors and psk

Paul Wouters paul at xelerance.com
Thu Sep 21 13:23:19 EDT 2006


On Thu, 21 Sep 2006, Andy Van den Heede wrote:

> How should you configure the ipsec.conf and ipsec.secrets in this
> situation?

I am not sure I fully know your situation.

> Also for a lot more connections?

If these are all linksys linux based ipsec clients, I would use raw rsa
keys, and not PSK. If these clients are windows behind linksys'es, I
would use an X.509 setup.

Paul

> -----Oorspronkelijk bericht-----
> Van: Paul Wouters [mailto:paul at xelerance.com]
> Verzonden: donderdag 21 september 2006 16:53
> Aan: Andy Van den Heede
> CC: users at openswan.org
> Onderwerp: RE: [Openswan Users] Problem with multiple road-warriors and
> psk
>
> On Wed, 20 Sep 2006, Andy Van den Heede wrote:
>
> > I did also a test with two different leftid's. Also in main mode....
> >
> > But when the linksys1 tries to build up the tunnel, the openswan tries
> > to bring up the tunnel 2.
>
> If phase 1 is identical, then the name is arbitrary and get switch
> midway
> the tunnel setup.
>
> > I use aggressive mode because it will be dynamic ip addresses at the
> > external side of the Linksys routers. The setup now is a test network.
>
> So? Aggressive mode is insecure, and should only be used when forced my
> stupid (read Cisco) setups. Avoid aggressive mode at all cost.
> Especially
> with PSK, because it allows for brute forcing the PSK. And even without
> the brute forcing, any client can pretend to be the gateway and get
> further credentials.
>
> Paul
>

-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list