[Openswan Users] switch off strict peer ID checking
Paul Wouters
paul at xelerance.com
Wed Nov 25 01:20:45 EST 2009
On Wed, 25 Nov 2009, Hillel wrote:
> We are connecting to a Check Point Firewall that has an external IP address
> and temporary different virtual IP address.
> Our provider says they can?t remove it until all their clients have moved to
> the new external IP and we need to switch off strict peer ID checking .
>
> We are getting from the logs:
>
> Nov 25 06:54:33 messaging pluto[17605]: "net-openswan-net-checkpoint" #1:
> Main mode peer ID is ID_IPV4_ADDR: 129.7.66.129'
> Nov 25 06:54:33 messaging pluto[17605]: "net-openswan-net-checkpoint" #1: we
> require peer to have ID 'aa.156.1.6', but peer declares '196.7.66.129'
So set rightid=196.7.66.129
> If we use the temporary virtual IP address (right=196.7.66.129) we get:
>
> Nov 25 06:53:26 messaging pluto[16971]: | concluding with best_match=0
> best=(nil) (lineno=-1)
> Nov 25 06:53:26 messaging pluto[16971]: "net-openswan-net-checkpoint" #1:
> Can't authenticate: no preshared key found for `xx.yy.zz.3' and
You then need to add "196.7.66.129" to the line that has "aa.156.1.6" in /etc/ipsec.secrets
Paul
More information about the Users
mailing list