[strongSwan] secrets and fqdn

Andreas Steffen andreas.steffen at strongswan.org
Mon Nov 8 18:18:36 CET 2010

Hello Henry,

there is no way to go back to the old way.


On 08.11.2010 15:00, Henry R. Prins wrote:
> Andreas,
> So now instead of getting the message, no preshared key found for
> ##.###.###.##, I get this instead...
>    we require peer to have ID 'rdp.FQDN.com', but peer declares
> '##.###.###.##'
> This is something that used to work, is there a flag or something I can
> do to make it go back to using the old way?
> Henry.
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
> Sent: Friday, November 05, 2010 3:32 PM
> To: Henry R. Prins
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] secrets and fqdn
> Hello Henry,
> the reason for the different behaviour is probably due to the use
> of the libstrongswan identification_t type in the pluto daemon
> which does not resolve FQDNs that have a preceding '@'character.
> As a workaround you can define left|rightid in your connection
> definition:
> ipsec.conf:
> conn xyz
>       left=moon.strongswan.org
>       leftid=@moon.strongswan.org
>       right=sun.strongswan.org
>       rightid=@sun.strongswan.org
>       ...
> ipsec.secrets:
> @moon.strongswan.org @sun.strongswan.org : RSA "my secret"
> Probably the '@' character in the IDs is not even needed.
> Regards
> Andres
> On 11/05/2010 05:52 PM, Henry R. Prins wrote:
>> Help Please,
>> I just replaced a Linux box which was doing my VPN tunnels, for some
>> reason the settings I used before are no longer working. My secrets
> file
>> has always had the FQDN names due to the fact that a lot of the IPS do
>> change. And the appropriate FQDN's were set in the ipsec.conf as the
>> both the right and the left=fqdn.domain.com. For some reasons since I
>> started using the new box I get...
>> Can't authenticate: no preshared key found for `##.###.###.##` and
>> `##.###.###.##`. Attribute OAKLEY_ATHENTICATION_METHOD.
>> The IP addresses are the resolution of the FQDN names entered in both
>> files. If I change the ipsec.secrets file to use the ip address it
>> works, but of course now I have to update that every time the IP
> address
>> changes. Not quite as easy work around because when it changes now you
>> have to figure out what the old IP was in order to change it to the
> new
>> one. It seems like the FQDN names in the ipsec.secrets file are not
> note
>> being converted to ip addresses. Is there something simple I'm
> missing?
>> Henry.

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list