[Openswan Users] Problem with multiple road-warriors and psk

Andy Van den Heede andy.vandenheede at secuteam.com
Thu Sep 21 14:03:21 EDT 2006 

Paul,
 
It are all linksys routers, but also it can be other routers (like netopia). With a netopia it is not possible to specify the id in main mode.
It is 1 openswan server and muliptle routers (with a subnet behind).
 
I think the Linksys routers uses a modified freeswan version.
 
Andy
________________________________

Van: Paul Wouters [mailto:paul at xelerance.com]
Verzonden: do 21/09/2006 19:23
Aan: Andy Van den Heede
CC: users at openswan.org
Onderwerp: RE: [Openswan Users] Problem with multiple road-warriors and psk



On Thu, 21 Sep 2006, Andy Van den Heede wrote:

> How should you configure the ipsec.conf and ipsec.secrets in this
> situation?

I am not sure I fully know your situation.

> Also for a lot more connections?

If these are all linksys linux based ipsec clients, I would use raw rsa
keys, and not PSK. If these clients are windows behind linksys'es, I
would use an X.509 setup.

Paul

> -----Oorspronkelijk bericht-----
> Van: Paul Wouters [mailto:paul at xelerance.com]
> Verzonden: donderdag 21 september 2006 16:53
> Aan: Andy Van den Heede
> CC: users at openswan.org
> Onderwerp: RE: [Openswan Users] Problem with multiple road-warriors and
> psk
>
> On Wed, 20 Sep 2006, Andy Van den Heede wrote:
>
> > I did also a test with two different leftid's. Also in main mode....
> >
> > But when the linksys1 tries to build up the tunnel, the openswan tries
> > to bring up the tunnel 2.
>
> If phase 1 is identical, then the name is arbitrary and get switch
> midway
> the tunnel setup.
>
> > I use aggressive mode because it will be dynamic ip addresses at the
> > external side of the Linksys routers. The setup now is a test network.
>
> So? Aggressive mode is insecure, and should only be used when forced my
> stupid (read Cisco) setups. Avoid aggressive mode at all cost.
> Especially
> with PSK, because it allows for brute forcing the PSK. And even without
> the brute forcing, any client can pretend to be the gateway and get
> further credentials.
>
> Paul
>

--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
_______________________________________________________________________

Zin in een slipcursus?

Kijk snel op http://www.axsweb.be



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060921/222f9926/attachment.html

More information about the Users mailing list