[Openswan Users] ipsec.secrets for a host with a dynamic IP
Nick Howitt
n1ck.h0w1tt at gmail.com
Fri Oct 23 09:13:16 EDT 2009
Changing to:
%any farFQDN : PSK "shared secret"
is giving a small issue. I have a second incoming vpn from a router on a
dynamic IP, so my ipsec.secrets file now reads:
: PSK "Dial-In secret"
%any farFQDN : PSK "shared secret"
and now when the router on a dynamic IP renegotiates I am seeing in my
log file:
multiple ipsec.secrets entries with distinct secrets match endpoints:
first secret used
If I reverse the order of the secrets file, the router with the dynamic
IP cannot connect with:
probable authentication failure (mismatch of preshared secrets?):
malformed payload in packet payload malformed after IV
If I change to:
: PSK "Dial-In secret"
farFQDN : PSK "shared secret"
With the lines in either order, the dynamic IP router connects fine, but
the static one fails to negotiate Main Mode with:
discarding duplicate packet; already STATE_MAIN_I3
"MumOut" #515: max number of retransmissions (2) reached STATE_MAIN_I3.
Possible authentication failure:
It seems like a %defaultroute type of solution would get round this.
As a separate question, for the router at farFQDN, if it changes IP, do
I have to reload the secrets file or will farFQDN be internally
re-evaluated as Openswan attempts to renegotiate the connection?
Regards,
Nick
On 22/10/2009 19:21, Nick Howitt wrote:
> Yes. resumably that will match the secret only for farfqdn like:
>
> %any farfqdn : PSK "shared secret"
>
> I was wondering if I could be more specific for my IP. Practically
> speaking, if it worked, would there be any difference between:
>
> %defaultroute farfqdn : PSK "shared secret"
>
> and
>
> %any farfqdn : PSK "shared secret"
>
> Nick
>
> On 22/10/2009 19:11, Paul Wouters wrote:
>
>> On Thu, 22 Oct 2009, Nick Howitt wrote:
>>
>>
>>> I have a dynamic (almost static) IP address with a tunnel I initiate to
>>> another router. Currently my ipsec.secrets reads:
>>>
>>> myfqdn farfqdn : PSK "shared secret"
>>>
>>> In the ipsec.conf I can use %defaultroute for left so if my IP changes
>>> it always picks up the correct one. In ipsec.secrets I cannot see any
>>> equivalent parameter so I use myfqdn instead.
>>>
>> %any (or 0.0.0.0)
>>
>> Paul
>>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list