[Openswan Users] IPSEC exploitation on the loose?

Nick Howitt n1ck.h0w1tt at gmail.com
Fri Jun 25 13:17:00 EDT 2010


  Aren't they transmitted in plain text in the earlier exchanges prior 
to key exchange? If ipsec.secrets is re-read as part of the DPD action, 
then you can use a left and right with a FQDN's in the conns restricting 
the range of IP's that can connect.

I will try with your lefdid/rightid as it is better than nothing. I 
already use rightid in the exchange as I know how to do that in the far 
routers (assuming they are right). I don't know how to do a leftid in 
the far router.

Nick

On 25/06/2010 18:06, Paul Wouters wrote:
> On Fri, 25 Jun 2010, Nick Howitt wrote:
>
>> My far endpoints are on dynamic IP's. It would be nice if DPD actions 
>> could force the re-reading of ipsec.secrets because then
>> it would become viable to use FQDN's in the ipsec.secrets file. The 
>> only downside of this approach is that the
>> re-establishment of the tunnel is dependant on how fast the Dynamic 
>> DNS update to the new IP addresses.
>
> You should be able to use leftid/rightid and put those in ipsec.secrets?
>
> Paul


More information about the Users mailing list