From: Sam Sgro (sam_at_freeswan.org)
Date: Wed Oct 30 2002 - 21:05:06 CET
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 30 Oct 2002, marc gazal wrote:
> When I Type "ipsec auto --up sample" on the road warrior using modem
> pppd dynamic IP address, The system returns error saying :
>
> No preshared key for U.V.W.X and A.B.C.D
>
> U.V.W.X = ip address of ppp0 interface
> A.B.C.D = public static IP address of router on the other side
>
> So I Stop the connection : ipsec auto --down sample
>
> I modify ipsec.secrets so that it is U.V.W.X A.B.C.D "secret"
>
> I read back the secrets : ipsec auto --rereadsecrets
> I attempt to launch the connetion : ipsec auto --up sample
>
> and It works fine !!
>
> Can someone help me to get something working so i'm not obliged to change
> ipsec.secrets of the road warrior each time I get a new Ip address ?
Aha! There is a trick to this; from the man page for ipsec.secrets:
An entry with no index will match any host and peer. More
specifically, an entry with one index will match a host and peer if the
index matches the host's ID (the peer isn't considered).
We'll use this, and some ID information, to facilitate your situation.
> #-------------- IPSEC.CONF of ROADWARRIOR -----------------------------
>
> conn sample
> authby=secret
> # Left security gateway, subnet behind it, next hop toward right.
> left=A.B.C.D
> leftsubnet=192.168.10.0/24
> leftnexthop=X.Y.Z.T
> # Right security gateway, subnet behind it, next hop toward left.
> right=%defaultroute
Add this line here:
rightid=@roadwarrior
> # To authorize this connection, but not actually start it, at startup,
> # uncomment this.
> auto=add
>
> #--------IPSEC.SECRETS OF ROADWARRIOR and ROUTER -----------------------
> %any A.B.C.D "secret"
On the roadwarrior, use:
@roadwarrior A.B.C.D: PSK "secret"
On the router, use:
A.B.C.D: PSK "secret"
With PSKs, %any in ipsec.secrets doesn't mean exactly what it implies; it
facilitates the use of any *IP* address as ID. The roadwarrior is using ID
information, which will cause a conflict. Like the man page says, if you don't
specify peer information (by IP address, or by %any) then any peer, regardless
of how it identifies itself, will match.
You shouldn't need to modify the router's ipsec.conf.
- --
Sam Sgro
sam_at_freeswan.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.
iQCVAwUBPcA7dEOSC4btEQUtAQGMwAP+IVUM7HeNP3WZQTIz8pKj+B/D4xSirTY1
f6GQGKtqA8B/koqLGIzaLhK+0gvAgEn2+TYEUQv2BYx3BfeqxL/YDPivPa7yjFPG
UWVN7H6IQfsRvAslWnp9iM/Pq9E5rM/SsyDAb34nO1qJILVTPcvWkx6pyAeaTIXG
7NPRjBbZKyE=
=ILrL
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Thu Oct 31 2002 - 05:20:35 CET