[strongSwan] secrets and fqdn

Andreas Steffen andreas.steffen at strongswan.org
Fri Nov 5 20:32:27 CET 2010

Hello Henry,

the reason for the different behaviour is probably due to the use
of the libstrongswan identification_t type in the pluto daemon
which does not resolve FQDNs that have a preceding '@'character.
As a workaround you can define left|rightid in your connection


conn xyz


@moon.strongswan.org @sun.strongswan.org : RSA "my secret"

Probably the '@' character in the IDs is not even needed.



On 11/05/2010 05:52 PM, Henry R. Prins wrote:
> Help Please,
> I just replaced a Linux box which was doing my VPN tunnels, for some
> reason the settings I used before are no longer working. My secrets file
> has always had the FQDN names due to the fact that a lot of the IPS do
> change. And the appropriate FQDN’s were set in the ipsec.conf as the
> both the right and the left=fqdn.domain.com. For some reasons since I
> started using the new box I get…
> Can’t authenticate: no preshared key found for `##.###.###.##` and
> `##.###.###.##`. Attribute OAKLEY_ATHENTICATION_METHOD.
> The IP addresses are the resolution of the FQDN names entered in both
> files. If I change the ipsec.secrets file to use the ip address it
> works, but of course now I have to update that every time the IP address
> changes. Not quite as easy work around because when it changes now you
> have to figure out what the old IP was in order to change it to the new
> one. It seems like the FQDN names in the ipsec.secrets file are not note
> being converted to ip addresses. Is there something simple I’m missing?
> Henry.

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list