[Openswan Users] IPSEC exploitation on the loose?
Nick Howitt
n1ck.h0w1tt at gmail.com
Fri Jun 25 13:17:00 EDT 2010
Aren't they transmitted in plain text in the earlier exchanges prior
to key exchange? If ipsec.secrets is re-read as part of the DPD action,
then you can use a left and right with a FQDN's in the conns restricting
the range of IP's that can connect.
I will try with your lefdid/rightid as it is better than nothing. I
already use rightid in the exchange as I know how to do that in the far
routers (assuming they are right). I don't know how to do a leftid in
the far router.
Nick
On 25/06/2010 18:06, Paul Wouters wrote:
> On Fri, 25 Jun 2010, Nick Howitt wrote:
>
>> My far endpoints are on dynamic IP's. It would be nice if DPD actions
>> could force the re-reading of ipsec.secrets because then
>> it would become viable to use FQDN's in the ipsec.secrets file. The
>> only downside of this approach is that the
>> re-establishment of the tunnel is dependant on how fast the Dynamic
>> DNS update to the new IP addresses.
>
> You should be able to use leftid/rightid and put those in ipsec.secrets?
>
> Paul
More information about the Users
mailing list