Adam French wrote: > Does anyone have any success getting a LAN-to-LAN tunnel up and working > with Juniper? The requirement has StrongSwan as the initiator and > Juniper as the Responder. I can get it to work with PSK authetication > and only when the initiator has a static IP. However, I have had no > success with any configuration that has the Strongswan initiator with a > dynamic IP address. I think it will only work with RSA certs > authentication but I cant get the certs to work with Juniper. If you > have had any success with cert authentication or dynamic IP address and > Juniper, please let me know your test case information/configuration.
The fact that dynamic IP addresses and PSK authentication can not be used at the same time is a known shortcoming of IKEv1 Main Mode (strongSwan only supports Main Mode b/c Aggresive Mode is insecure). Andreas Steffen told me once that they included some hack into strongSwan that supports PSKs in conjunction with dynamic IP addresses but I never tried that. I think you should go for RSA certs. Please provide us with your config files, certs and log files so that we can help you better. I personally do not know if strongSwan works with Juniper. But I guess it does because strongSwan proved to be very interoperable. Btw, are you using IKEv1 or IKEv2? Daniel _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
