[Swan] Dynamic Hosts

John Crisp jcrisp at safeandsoundit.co.uk
Fri Nov 27 15:58:12 UTC 2015


On 27/11/15 16:23, John Crisp wrote:
> We are using 3.15 currently on CentOS6 and working on Libre-Libre
> connections.
> 
> We have a nice simple working setup with PSK that works well with static
> IPs. The problems occur with a Dynamic 'Client/Host' I know this is not
> a favoured solution but.....
> 

Awww damn - just noticed this for starters


https://github.com/libreswan/libreswan/issues/27

"If using multiple connections with roadwarriors, ensure your end's ID
is matched uniquely (so not the IP)

You must use Aggressive Mode, not Main Mode, when using IKEv1 if you
want the IKE connection to be able to use the ID to match a different
secret. (aggrmode=yes)

Of course, we strongly recommend not to use Aggressive Mode with PSK.

You should strongly consider using X.509 certificates instead of PSKs"

Probably out to set to ike v2 and try with leftid/rightid again ?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151127/af5c712e/attachment.sig>


More information about the Swan mailing list