[strongSwan] secrets and fqdn

Henry R. Prins HPrins at multidataservices.com
Mon Nov 8 15:00:22 CET 2010


Andreas,

So now instead of getting the message, no preshared key found for
##.###.###.##, I get this instead...

   we require peer to have ID 'rdp.FQDN.com', but peer declares
'##.###.###.##'

This is something that used to work, is there a flag or something I can
do to make it go back to using the old way?

Henry.

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Friday, November 05, 2010 3:32 PM
To: Henry R. Prins
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] secrets and fqdn

Hello Henry,

the reason for the different behaviour is probably due to the use
of the libstrongswan identification_t type in the pluto daemon
which does not resolve FQDNs that have a preceding '@'character.
As a workaround you can define left|rightid in your connection
definition:

ipsec.conf:

conn xyz
      left=moon.strongswan.org
      leftid=@moon.strongswan.org
      right=sun.strongswan.org
      rightid=@sun.strongswan.org
      ...

ipsec.secrets:

@moon.strongswan.org @sun.strongswan.org : RSA "my secret"

Probably the '@' character in the IDs is not even needed.

Regards

Andres

On 11/05/2010 05:52 PM, Henry R. Prins wrote:
> Help Please,
>
> I just replaced a Linux box which was doing my VPN tunnels, for some
> reason the settings I used before are no longer working. My secrets
file
> has always had the FQDN names due to the fact that a lot of the IPS do
> change. And the appropriate FQDN's were set in the ipsec.conf as the
> both the right and the left=fqdn.domain.com. For some reasons since I
> started using the new box I get...
>
> Can't authenticate: no preshared key found for `##.###.###.##` and
> `##.###.###.##`. Attribute OAKLEY_ATHENTICATION_METHOD.
>
> The IP addresses are the resolution of the FQDN names entered in both
> files. If I change the ipsec.secrets file to use the ip address it
> works, but of course now I have to update that every time the IP
address
> changes. Not quite as easy work around because when it changes now you
> have to figure out what the old IP was in order to change it to the
new
> one. It seems like the FQDN names in the ipsec.secrets file are not
note
> being converted to ip addresses. Is there something simple I'm
missing?
>
> Henry.

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list