[Openswan Users] Why does ipsec.secrets work the way it does?

Nick Howitt n1ck.h0w1tt at gmail.com
Wed May 25 09:31:46 EDT 2011


Out of curiosity, when using a PSK, why is the format of the 
ipsec.secrets line:

My_Identifier Remote_Identifier : PSK "secret"

where the identifier is an IP address, FQDN or @string? What I am 
wondering is why you need to match on a local identifier (apart from 
that is what the specification is)? Conceptually, what is the benefit of 
requiring a match with the local identifier rather than just using:

Remote_Identifier : PSK "secret"

Substituting %any for the local identifier is not the same because as 
soon as you have %any the remote identifier becomes irrelevant. I 
believe (but could be wrong) that if you just don't use a local 
identifier then %any is assumed.



More information about the Users mailing list