[Swan] regarding PSK lookup in secrets file and the Peer ID
swan at dm.cobite.com
Wed Mar 4 18:28:50 EET 2015
I'm fairly new to libreswan and I have a working tunnel where I control
both ends, both ends are libreswan. I'm about to set up a tunnel with a
partner and I'm looking to understand how secrets are matched against
indices in the secret file for PSK.
According to the man page:
An additional complexity arises in the case of authentication by
preshared secret: the responder will need to look up the secret
before the Peer´s ID payload has been decoded, so the ID used
will be the IP address.
However, in my test tunnel, the secret is not found unless I use the
"id" I have specified in leftid/rightid, and not by using the IP
address. My Id are defined like:
And my secrets file has to have:
@somename.mydomain.com @othername.mydomain.com: PSK "blahblahblah"
in order to work. It doesn't work with the IP addresses.
Also, in reading about "id" it seems a large area of configuration pain.
In my case, it looks like the partner will be deriving the ID from IP
and Netmask. Are they expecting my id to be "a.b.c.d/nnn"? I think the
default (ie. omitting the leftid) would just be "a.b.c.d", no?
Is there any way to determine what the Peer ID is without being told
explicitly by their system administrator (ie. is a peer id completely
arbitrary based on the ipsec implementation used and configuration on
the remote end?)
More information about the Swan