[strongSwan] StrongSwan - difference encryption domain
Noel Kuntze
noel at familie-kuntze.de
Sat Nov 9 10:03:33 CET 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello Pawel,
You can indeed use different rightid or leftid pairs to match the different tunnels.
example: use leftid=tunnel1 for tunnel1 and leftid=tunnel2 for tunnel2.
This works.
Regards
Noel Kuntze
Am 09.11.2013 08:53, schrieb Pawel Grzesik:
> Hi
>
> leftid and righted is something else.
> What I'm trying to say is to have 2 different password for two different tunnels but with the same peers.
>
> Lets say I have two tunnels.
>
> conn net1
> ike=aes256-md5-modp1024!
> esp=aes256-md5!
> left=192.168.1.1
> right=192.168.9.1
> leftsubnet=123.123.123.0/27
> rightsubnet=111.111.111.0/32
> auto=route
>
> conn net2
> ike=aes256-sha1-modp1024!
> esp=aes256-sha1!
> left=192.168.1.1
> right=192.168.9.1
> leftsubnet=124.124.124.0/32
> rightsubnet=2.2.2.2/32
> auto=route
>
> So I have the same peers but different tunnels. How I can setup my ipsec.secret for them if I need to put there peers and PSK ?
>
> I should be something like:
> 192.168.1.1 192.168.9.1 : PSK "password1" # this should be with leftsubnets 123.123.123.0/27
> 192.168.1.1 192.168.9.1 : PSK "password2" # this should be with leftsubnets 124.124.124.0/32
>
>
> Thanks,
> Pawel
>
> On 9 Nov 2013, at 06:09, Ali Masoudi <masoudi1983 at gmail.com <mailto:masoudi1983 at gmail.com>> wrote:
>
>> Hi
>>
>> I think it is possible. you can use different pairs of leftid/rightid.
>>
>> Best wishes
>>
>>
>> On Fri, Nov 8, 2013 at 5:00 PM, Pawel Grzesik <pawel.grzesik at brainstorm.co.uk <mailto:pawel.grzesik at brainstorm.co.uk>> wrote:
>>
>> Hi All,
>>
>> Just a quick question. Is it possible to have at the ipsec.secret two difference PSK for the same peers but difference tunnels ?
>>
>> For example
>> PEER_ME PEER_EXTERNAL : PSK "test1"
>> PEER_ME PEER_EXTERNAL : PSK "test2"
>>
>> I have the same PEER_ME and also PEER_EXTERNAL are also the same IP. The difference is just a PSK and the tunnels. I'm sure it's possible at the cisco, but what about my site witch is on StrongSwan? Anyone?
>>
>> Thanks,
>> Pawel
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJSffplAAoJEDg5KY9j7GZYDtIP/1yreR4bnXK7VcHdOZDyotMZ
lSRYicmjs4v3tssYXJ6KfGBynvg57kEmhgWuG8Vk3o179Qmc+nUGZjn4qIXJ7hK3
UVqg6gZU6QuhDF0YF9p7jk+oOKzP76KK8rcBv+sMliEDRj93V9pW+JGwg+b8qapf
+RE7er3TUtIhF/1bkTRxrc8Laj632mjDHfFR6/bCZX+xTSgIuoHiaj21Eb1wakHI
XsnDADEBB8XjZ3MHt90dOi1CQn6ChHmR76HHdta0RlpmE/P9HmxWjELT74aBBzRi
QYQxLXrkT53hpWaEfAJD1DFlZHN5J7As0mrYoZR9MhvRnwoKGurnxdNS2Pd6XFl6
PSGOtQVXMoEf/wbtPLM94+Cx0Jm/4ftnCmJVopuBui+bpEHiSHf7e30FmNgC8yvi
6dzbko+wNf1RmBJkYIyhpxmlXnJKHp0+GR+uVS1oT2a1LxfJStfeC8QqH8Y0J1XL
uNFS5YZM1eZJPho7D+zM9pbIlda90IoWXdi7KA+pEBFWXXlZ2qSZ+abdyI/+86Y5
tPlIkOccggGBU7I9p8tGh0Nnq0CHfa+kI992c+u+KlMygNSFFUtxFAR65MY7Ktqj
SIPtNrfp8TYPTGho696m1Kg8f7tj9/O1ljfUgCnMbyxTmf9Ki9/LU7mf9UScmB9N
YYTqLnuHVDXdw/0psdZ+
=7uUw
-----END PGP SIGNATURE-----
More information about the Users
mailing list