[Openswan Users] OpenSWAN question on XAUTH clients

Paul Wouters paul at xelerance.com
Sun Aug 9 16:10:58 EDT 2009

On Sun, 9 Aug 2009, Diego Rivera wrote:

>       Out of curiosity, what were those bugs?

thanks for listing those.

> I know that's how you enable it so I guess a better question is: when I
> don't specify "authby=secret", will it automagically use PAM?  That's
> more or less what I was asking.

No. Authby=secret means "Use Preshared Key" for IPsec. Or in Cisco speak,
that is the "Group Secret". It has nothing to do with the user authentication,
it is only the IPsec host identification.

XAUTH (a.k.a phase 1.5) uses a username plus password in addition to the
above secret. That's where pam comes into play. A safer method would be
to not use a group secret, but X.509 certificates. XAUTH would still be
used on top of that for user/password authentication.

> Also - would you happen to know how to tell pluto to *NOT* listen on all
> interfaces/addresses?  I have multiple interfaces on those boxes, some of
> those with multiple IP's - yet I only want pluto to listen on a couple. 
> I can't seem to find clear documentation of how to achieve this.

There is currently no method for that. You cannot really mix IKE daemons,
on a single host. I'd recommend using some firewall rules if you are
really concerned about listening to certain addresses.


More information about the Users mailing list