If I recall correctly, ipsec.secrets will NOT allow a catch-all entry if you are using preshared secrets. That's the reason you want to go to RSA keys if you have a dynamic end to the tunnel - they will allow this, if you set a name as Charles suggested.
If you want to stay with the preshared secrets, I'd suggest adding a dynamic dns daemon on the dynamic end so that you can find the gateway with ssh - you'll need to edit ipsec.secrets everytime the IP changes! Once you get your head around RSA, you'll wonder why you wasted any time with the shared secrets ;-) Brock > To: <[EMAIL PROTECTED]> > Subject: Re: [Leaf-user] Dynamic VPN Gatewy..... Almost > From: [EMAIL PROTECTED] > Date: Thu, 25 Apr 2002 10:05:26 -0400 > > Charles, > > >It sounds like IPSec isn't finding the proper secret to use > unless the > >secret is tagged with the remote IP. Are you assigning > connection ID's > in > >ipsec.conf? IPSec will use the IP as a default ID if you > don't assign > one > >manually. I typically use unresolved names as a connection > ID, rather > than > >IP addresses...they are easier for me to remember (and make > sense of). > >IIRC, there may also be some limitations on using pre-shared-secrets > >vs. > RSA > >signature keys...which are you trying to use? > > > >Try something like: > > > >[EMAIL PROTECTED] > >[EMAIL PROTECTED] > > > >in your connection description at both ends... > > > >If that doesn't help, you'll probably have to provide your > ipsec.conf > >and ipsec.secrets file for inspection (remove/alter any private info > >from ipsec.secrets before posting, but keep it otherwise intact). > > I am using shared secrets. I will at one point want to try the RSA > encryption but I have experience with shared secrets and > figured to start > there and then go to RSA. In my previous experience with > Free/SWAN (v. > 1.34 I believe) I would specify 0.0.0.0 for anyone in the > ipsec.secrets > file on the static gateway and 127.0.0.1 for local IP on the dynamic > gateway. I have not seen this instructed at all for the v1.91 > with which I > am working. What should the ipsec.secrets file be for the static and > dynamic gateways. I currently have this for both: > > 216.29.35.154 0.0.0.0:PSK "secretgoeshere" > > If you like I will provide the files. > > Jason Massey _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
