[Openswan Users] Bug: Duelling tunnels in openswan-2.4.9-r1
Paul Wouters
paul at xelerance.com
Mon Oct 22 14:38:55 EDT 2007
On Mon, 22 Oct 2007, Roland Plüss wrote:
> > this setup is wrong though. Two different laptops should use two different
> > identifiers. You should have two conn's on the server side.
> >
> The wiki though says you can use the same connection for multiple road
> warriors so you don't have to create a new connection definition for
> each machine. How else are you supposed to have a scalable setup where
> you don't know which machines connect ( hence you want the same VPN data
> to be send to all machines without worrying about personalized files )?
the proper way is to assign all roadwarriors an X.509 certificate and they
will all have a unique id (the DN of the certificate) and their own RSA key,
and it uses one roadwarrior conn.
PreShared Secrets (PSK) are a bad idea to use for multiple clients, because
one compromised client leads to all clients being compromised.
> > What do you intend to do when both are behind the same NAT router? They
> > will have the same IP.
> >
> They are not behind a NAT router. Every machine has it's own unique IP.
For now :)
> > It's your setup that is flawed. Perhaps gentoo changed the default for
> > uniqueids= in the config setup section? The default is "yes", which
> > breaks your setup.
> >
> Could be possible. I'll check this one out.
with uniqueids=no, openswan should not disconnect multiple occurances of
the same client id connecting.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list