Charles Steinkuehler wrote: > > > > ``On the left gateway, we can omit leftrsasig. That gateway uses the > > > private key stored in ipsec.secrets(5) and has no need for its own > > > public key.'' > > > > > > When I do that, I get this: > > > > > > # ipsec auto --add trout-bluetrout > > > ipsec_auto: fatal error in "trout-bluetrout": connection has no > > > "leftrsasigkey" parameter specified > > > > > > What am I doing wrong? > > > > Anybody know anything about this? > > I always include both RSA public keys in the ipsec.conf file. > > I put the local infomation (incluuding leftid, and leftrsasig) in a "conn > %default" section, then add multiple tunnel definitions with the "include" > feature of ipsec.conf. All included tunnel descriptions come from > /etc/ipsec/, and are configured with only the "right side" information. I > also used unresolved FQDN's for the system ID's, so they don't change if > IP's get re-assigned (also, some systems are dynamic). > > This way, if details on a remote system change, I only have to edit two > files...the local ipsec.conf file on the system that changed, and the > /etc/ipsec/<system>.conf file, which can then be rsync'd to all the other > remote VPN gateways.
[ snip ] Yes, I understand this; but, I think that /etc/ipsec.conf can be kept even cleaner and easier to maintain if that public key is kept someplace that no editor is likely to touch. This text from the FreeS/WAN web documentation suggests that this is not only possible; but, that somebody is actually doing this. If this is really not possible, then I can go on from here without it; but, I'd really like to know how to do this. I suppose, there's a FreeS/WAN List Service? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
