[Openswan Users] switch off strict peer ID checking

Hillel hbilman at ecommunicate.co.za
Wed Nov 25 08:27:35 EST 2009


Thanks a lot it worked. You really know openswan well.

I have used for ipsec.secrets:

xx.yy.zz.3 aa.156.1.6 196.7.66.129: PSK "xxxxxxx"

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: 25 November 2009 08:21 AM
To: Hillel
Cc: users at openswan.org
Subject: Re: [Openswan Users] switch off strict peer ID checking

On Wed, 25 Nov 2009, Hillel wrote:

> We are connecting to a Check Point Firewall that has an external IP
address
> and temporary different virtual IP address.
> Our provider says they can?t remove it until all their clients have moved
to
> the new external IP and we need to switch off strict peer ID checking .
>
> We are getting from the logs:
>
> Nov 25 06:54:33 messaging pluto[17605]: "net-openswan-net-checkpoint" #1:
> Main mode peer ID is ID_IPV4_ADDR: 129.7.66.129'
> Nov 25 06:54:33 messaging pluto[17605]: "net-openswan-net-checkpoint" #1:
we
> require peer to have ID 'aa.156.1.6', but peer declares '196.7.66.129'

So set rightid=196.7.66.129

> If we use the temporary virtual IP address (right=196.7.66.129) we get:
>
> Nov 25 06:53:26 messaging pluto[16971]: | concluding with best_match=0
> best=(nil) (lineno=-1)
> Nov 25 06:53:26 messaging pluto[16971]: "net-openswan-net-checkpoint" #1:
> Can't authenticate: no preshared key found for `xx.yy.zz.3' and

You then need to add "196.7.66.129" to the line that has "aa.156.1.6" in
/etc/ipsec.secrets

Paul



More information about the Users mailing list