Hi, my setup:
Fritzbox1: 1.1.1.1 Fritzbox2: 2.2.2.2 Strongswan Debian Server: 3.3.3.3 AND 4.4.4.4 1.1.1.1 <=> 3.3.3.3 2.2.2.2 <=> 3.3.3.3 X.X.X.X (road warrior) <=> 4.4.4.4 first of all. I know now strongswan, racoon and openswan. And after 5 minute I realised strongswan is the best even openswan is similar to Strongswan. Thank you ! ;) For the road warrior I decided to use l2tp in combination with xl2tp which is working for great for its own. The Tunnels to both fritzboxes are also running great for its own. All also to the same time. But the problem I have is that in some cases the road warriors are also connected to the LAN @ fritzbox1/2 which is not working because the preshared key for that ips are different defined. I thought I can define the ipsec.secrets like that because I thought the whole line must match for the preshared key. In my tests I saw I am wrong: 3.3.3.3 1.1.1.1 : PSK "fritz1" 3.3.3.3 2.2.2.2 : PSK "fritz2" 4.4.4.4 %any : PSK "other PSK" The problem I got is, that if I am in the network 1.1.1.1 and 2.2.2.2 I have to use the psk for fritzbox 1 or 2... not the one for "OTHER PSK". So I decided to have more than one Strongswan instance (on different IPs or Ports... I dont care). If I dont want to recompile strongswan I have to use Strongswan 5.2.1 or newer. Is that right? Or do I forget a possibility in ipsec which I missed? I hope my problem is clear enough explained. I have no question to get the tunnels working itself. This is already working great. I just have questions how to handle the preshared keys. Why am I using l2tp? It is widely common and is working without additional client on iOS, Windows, Android, Linux and MacOS which I really like and has enough security I think. Let me know about your thoughts. Hope I broke no rules of the mailing list. -- Cheers Konstantin
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
