[strongSwan] secrets and fqdn
andreas.steffen at strongswan.org
Mon Nov 8 18:18:36 CET 2010
there is no way to go back to the old way.
On 08.11.2010 15:00, Henry R. Prins wrote:
> So now instead of getting the message, no preshared key found for
> ##.###.###.##, I get this instead...
> we require peer to have ID 'rdp.FQDN.com', but peer declares
> This is something that used to work, is there a flag or something I can
> do to make it go back to using the old way?
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Sent: Friday, November 05, 2010 3:32 PM
> To: Henry R. Prins
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] secrets and fqdn
> Hello Henry,
> the reason for the different behaviour is probably due to the use
> of the libstrongswan identification_t type in the pluto daemon
> which does not resolve FQDNs that have a preceding '@'character.
> As a workaround you can define left|rightid in your connection
> conn xyz
> @moon.strongswan.org @sun.strongswan.org : RSA "my secret"
> Probably the '@' character in the IDs is not even needed.
> On 11/05/2010 05:52 PM, Henry R. Prins wrote:
>> Help Please,
>> I just replaced a Linux box which was doing my VPN tunnels, for some
>> reason the settings I used before are no longer working. My secrets
>> has always had the FQDN names due to the fact that a lot of the IPS do
>> change. And the appropriate FQDN's were set in the ipsec.conf as the
>> both the right and the left=fqdn.domain.com. For some reasons since I
>> started using the new box I get...
>> Can't authenticate: no preshared key found for `##.###.###.##` and
>> `##.###.###.##`. Attribute OAKLEY_ATHENTICATION_METHOD.
>> The IP addresses are the resolution of the FQDN names entered in both
>> files. If I change the ipsec.secrets file to use the ip address it
>> works, but of course now I have to update that every time the IP
>> changes. Not quite as easy work around because when it changes now you
>> have to figure out what the old IP was in order to change it to the
>> one. It seems like the FQDN names in the ipsec.secrets file are not
>> being converted to ip addresses. Is there something simple I'm
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
More information about the Users