[Openswan Users] roadwarrior with PSK

Sir Thomas secureth at gmail.com
Wed Jun 3 07:27:54 EDT 2009


Hi Paul,

i have a question, if i have to use leftid and rightid in each conn , i may
set into .conf file and .secret file, isn't it?.
if i use leftid /rightid ,is it neccesary to set left and righ with theirs
public ips?
i read in openswan.org that it's possible to set a multiple roadwarrior with
PSK using uniqueids=no but the PSK must be the same for all conn.
Otherwise, my first choice was to use X509, i follow this manual
http://www.natecarlson.com/linux/ipsec-x509.php#changelog
to create CA but when i execute this line /sslca$ openssl ca -gencrl -out
crl.pem
it generates this message error:
sslca]# openssl ca -gencrl -out crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
../../CA/crlnumber: No such file or directory
error while loading CRL number
23025:error:02001002:system library:fopen:No such file or
directory:bss_file.c:352:fopen('../../CA/crlnumber','r')
23025:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
Do you know what it is the problem?
thanks,

regards
Alfonso
2009/5/29 Paul Wouters <paul at xelerance.com>

> On Fri, 29 May 2009, Sir Thomas wrote:
>
>
>> i try to established a connection between a openswan server and a
>> roadwarriors.
>> each roadwarrior have a static ip address and the server, too.
>> the roadwarriors have XP and use ShrewSoft VPN Client to connect. we use
>> PSK to authenticate.
>>
>
>  conn madrid
>>         type=tunnel
>>         authby=secret
>>         leftsourceip=10.105.241.253
>>         left=<public_ip>
>>         leftsubnet=10.105.0.0/16
>>         right=<public_ip>
>>         rightsubnet=192.168.200.60/32
>>         auto=add
>>         esp=3des-md5
>>         pfs=no
>>         keyexchange=ike
>>
>
>  The roadwarrior can to established the tunnel and up the tunnel , but
>> when they try to connect more than two roadwarrior, one of them drop the
>> tunnel.
>>
>
> You need to use different conn's for different roadwarriors, othewise
> openswan thinks they are the machine on a different IP. With PSK's you
> need to use leftid= and rightid= and not base them on IP.
>
> The proper solution though, is to switch to X.509 based connections. Then
> openswan "instantiates" your conn (copies the conn for each connecting
> client)
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090603/a060c711/attachment.html 


More information about the Users mailing list