[Leaf-user] Dynamic VPN Gatewy..... Almost
Hello, I have two Dachstein IPsec gateways in place. One is a static IP, the other is Dynamic. I can not get the VPN up. When I change the ipsecrets file to reflect the IP assigned to the Dynamic connection it works! but as soon as I specify it as Dynamic it doesn't. When this happens /var/log/auth.log says that no preshared key could be found for 68.87.38.109 (the dynamically assigned address) and 216.29.35.154 (the remote static address). Any one have any suggestions? Thanks, Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dynamic VPN Gatewy..... Almost
I have two Dachstein IPsec gateways in place. One is a static IP, the other is Dynamic. I can not get the VPN up. When I change the ipsecrets file to reflect the IP assigned to the Dynamic connection it works! but as soon as I specify it as Dynamic it doesn't. When this happens /var/log/auth.log says that no preshared key could be found for 68.87.38.109 (the dynamically assigned address) and 216.29.35.154 (the remote static address). Any one have any suggestions? It sounds like IPSec isn't finding the proper secret to use unless the secret is tagged with the remote IP. Are you assigning connection ID's in ipsec.conf? IPSec will use the IP as a default ID if you don't assign one manually. I typically use unresolved names as a connection ID, rather than IP addresses...they are easier for me to remember (and make sense of). IIRC, there may also be some limitations on using pre-shared-secrets vs. RSA signature keys...which are you trying to use? Try something like: [EMAIL PROTECTED] [EMAIL PROTECTED] in your connection description at both ends... If that doesn't help, you'll probably have to provide your ipsec.conf and ipsec.secrets file for inspection (remove/alter any private info from ipsec.secrets before posting, but keep it otherwise intact). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dynamic VPN Gatewy..... Almost
Charles, It sounds like IPSec isn't finding the proper secret to use unless the secret is tagged with the remote IP. Are you assigning connection ID's in ipsec.conf? IPSec will use the IP as a default ID if you don't assign one manually. I typically use unresolved names as a connection ID, rather than IP addresses...they are easier for me to remember (and make sense of). IIRC, there may also be some limitations on using pre-shared-secrets vs. RSA signature keys...which are you trying to use? Try something like: [EMAIL PROTECTED] [EMAIL PROTECTED] in your connection description at both ends... If that doesn't help, you'll probably have to provide your ipsec.conf and ipsec.secrets file for inspection (remove/alter any private info from ipsec.secrets before posting, but keep it otherwise intact). I am using shared secrets. I will at one point want to try the RSA encryption but I have experience with shared secrets and figured to start there and then go to RSA. In my previous experience with Free/SWAN (v. 1.34 I believe) I would specify 0.0.0.0 for anyone in the ipsec.secrets file on the static gateway and 127.0.0.1 for local IP on the dynamic gateway. I have not seen this instructed at all for the v1.91 with which I am working. What should the ipsec.secrets file be for the static and dynamic gateways. I currently have this for both: 216.29.35.154 0.0.0.0:PSK secretgoeshere If you like I will provide the files. Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dynamic VPN Gatewy..... Almost
I have had similar problems. Love to know what ipsec version you are using. It seems that using 0.0.0.0 as an identifier in ipsec.secrets is key but I haven't got dynamic to work yet. [EMAIL PROTECTED] on 04/25/2002 08:28:33 AM To: [EMAIL PROTECTED] cc:(bcc: Phillip Watts/austin/Nlynx) Subject: [Leaf-user] Dynamic VPN Gatewy. Almost Hello, I have two Dachstein IPsec gateways in place. One is a static IP, the other is Dynamic. I can not get the VPN up. When I change the ipsecrets file to reflect the IP assigned to the Dynamic connection it works! but as soon as I specify it as Dynamic it doesn't. When this happens /var/log/auth.log says that no preshared key could be found for 68.87.38.109 (the dynamically assigned address) and 216.29.35.154 (the remote static address). Any one have any suggestions? Thanks, Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dynamic VPN Gatewy..... Almost
Charles, One other thing. The /var/log/auth.log is from the dynamic gateway as this is the one starting the tunnel. I must not be specifing for IPsec to use the local IP the right way in ipsec.secrets. In ipsec.conf you use %defaultroute. What about in ipsec.secrets? Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dynamic VPN Gatewy..... Almost
Phillip Version 1.91 I think I may scrap using the PSK and go to RSA. As Charles pointed out, RSA does not use IPs as identifiers but rather uses the keys. Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dynamic VPN Gatewy..... Almost
If I recall correctly, ipsec.secrets will NOT allow a catch-all entry if you are using preshared secrets. That's the reason you want to go to RSA keys if you have a dynamic end to the tunnel - they will allow this, if you set a name as Charles suggested. If you want to stay with the preshared secrets, I'd suggest adding a dynamic dns daemon on the dynamic end so that you can find the gateway with ssh - you'll need to edit ipsec.secrets everytime the IP changes! Once you get your head around RSA, you'll wonder why you wasted any time with the shared secrets ;-) Brock To: [EMAIL PROTECTED] Subject: Re: [Leaf-user] Dynamic VPN Gatewy. Almost From: [EMAIL PROTECTED] Date: Thu, 25 Apr 2002 10:05:26 -0400 Charles, It sounds like IPSec isn't finding the proper secret to use unless the secret is tagged with the remote IP. Are you assigning connection ID's in ipsec.conf? IPSec will use the IP as a default ID if you don't assign one manually. I typically use unresolved names as a connection ID, rather than IP addresses...they are easier for me to remember (and make sense of). IIRC, there may also be some limitations on using pre-shared-secrets vs. RSA signature keys...which are you trying to use? Try something like: [EMAIL PROTECTED] [EMAIL PROTECTED] in your connection description at both ends... If that doesn't help, you'll probably have to provide your ipsec.conf and ipsec.secrets file for inspection (remove/alter any private info from ipsec.secrets before posting, but keep it otherwise intact). I am using shared secrets. I will at one point want to try the RSA encryption but I have experience with shared secrets and figured to start there and then go to RSA. In my previous experience with Free/SWAN (v. 1.34 I believe) I would specify 0.0.0.0 for anyone in the ipsec.secrets file on the static gateway and 127.0.0.1 for local IP on the dynamic gateway. I have not seen this instructed at all for the v1.91 with which I am working. What should the ipsec.secrets file be for the static and dynamic gateways. I currently have this for both: 216.29.35.154 0.0.0.0:PSK secretgoeshere If you like I will provide the files. Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dynamic VPN Gatewy..... Almost
On Thu, 25 Apr 2002 08:54:02 -0700 Brock Nanson [EMAIL PROTECTED] wrote: If I recall correctly, ipsec.secrets will NOT allow a catch-all entry if you are using preshared secrets. That's the reason you want to go to RSA keys if you have a dynamic end to the tunnel - they will allow this, if you set a name as Charles suggested. You can have only one catch-all (and therefore one preshared secret) if you are using preshared secrets. The identifier to use is %any in the ipsec.secrets file. Like so: %any 192.168.3.1: PSK unsecure HTH Chad ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dynamic VPN Gatewy..... Almost
You can have only one catch-all (and therefore one preshared secret) if you are using preshared secrets. The identifier to use is %any in the ipsec.secrets file. Like so: %any 192.168.3.1: PSK unsecure HTH Chad Yes, but that would be the ipsec.secrets entry on the static side. What about the dynamic gateway? Would it be the same? Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
