> And now to my question > ---------------------- > IPSEC SECRETS & MORE THAN ONE TUNNEL > Configuration of Ipsec secrets > > We have one head office, two shops, two employees with cable modems with > DHCP but known IP addresses for the local nets and two Roadwarriors. If > possible I would like to keep thing as simple as possible and use PSK.
Using PSK is simple, but introduces problems when using dynamic IP connections (more on this later). > As the IP addresses are known for the head office and the shops I would like > to have different PSK for each tunnel. Can I just list the secrets with IP > addresses in the ipsec.secrets-file? You can have multiple PSK's in your ipsec.secrets file, with each secret "tagged" with the remote IP(s) it is to be used for. Note that there can only be *ONE* "default" PSK. > And what happening if I put in an other > PSK with %any for the remote IP, i.e. in witch order is Ipsec reading the > ipsec.secrets-file? I'm not sure exactly what you're asking here, but the matching rules are listed in the ipsec.secrets man page: http://leaf.sourceforge.net/devel/cstein/Packages/man/IPSec1.91/manpage. d/ipsec.secrets.5.html <quote> Matching IDs with indices is fairly straightforward: they have to be equal. In the case of a ``Road Warrior'' connection, if an equal match is not found for the Peer's ID, and it is in the form of an IP address, an index of %any will match the peer's IP address if IPV4 and %any6 will match a the peer's IP address if IPV6. Currently, the obsolete notation 0.0.0.0 may be used in place of %any. An additional complexity arises in the case of authentication by preshared secret: the responder will need to look up the secret before the Peer's ID payload has been decoded, so the ID used will be the IP address. </quote> > Can I put the PSK secrets in the ipsec.conf-file, I think I have seen this > somewhere. I believe they go in ipsec.secrets, and ipsec.secrets only...see the ipsec.conf man page for details. > I know that the documentation says that you can only have one secrets ,PSK > or RSA, for all Roadwarriors. What I wonder is how Ipsec is handle the name > for the connections. Would it be possible to have two Roadwarriors > connections with different names and one secret for each connection? No. Read the above quote from the ipsec.secrets man page. Due to the way the ipsec protocol implements authentication, when the PSK is being looked up, the *ONLY* thing known about the far end is it's IP address. That means you can only have *ONE* default road-warrior key if you're doing Pre-shared-secrets authentication. NOTE: This limitation DOES NOT EXIST for RSA authentication. You can create seperate connections for multiple dynamic clients, and identify them uniquely with the [left|right]id field in ipsec.conf, as well as by the public portion of their RSA key (sidenote: I like using unresolved domain names as ID's, ie: [EMAIL PROTECTED]). This makes RSA keys *MUCH* easier to use in production than the "simple" PSK's, at least IMHO, especially if you've got any dynamic IP clients. > I know that one solution presumably would be to use certificates, but I > would prefer to keep things as simple as possible. RSA signature keys are far less hassle than certificates, and IMHO are easier to administer than PSK's. With a PSK, you have to generate the key, and copy it to both machines. Anyone on either machine can break your secuirty by accessing the PSK. With RSA keys, you have to generate two keys (no big deal, just run the ipsec rsasigkey twice), and copy the public key to each system. It's a little more work on the front end, but each system is in charge of it's own secret, which is *NOT* shared with any other system (only the non-secret public key is shared), so while there's more key-generation involved, you don't have to worry so much about the PSK (ie copying it to the remote system via secure methods), and the security benifits are HUGE if you've got more than one road-warrior. > I have read the documentation and search the web but I have not find any > information about this. So is it I who is stupid or . Well, if you got everything you mentioned working in vmware, you're probably not stupid, so I guess I'm going with ".", whatever that is :-) Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ------------------------------------------------------- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
