On Fri, Nov 24, 2006 at 07:54:49AM -0600, Albert Chin wrote: > On Fri, Nov 24, 2006 at 07:35:10PM +0900, Mathieu Sauve-Frankel wrote: > > > > Now VPN-A has this in ipsec.conf: > > > > ike passive esp from any to any srcid [EMAIL PROTECTED] dstid > > > > [EMAIL PROTECTED] > > > > If you need to support more than one user in you roadwarrior setup. > > Then don't set dstid. > > But, according to ipsec.conf: > dstid is similar to srcid, but instead specifies the ID to be used > by the remote peer. > > So, if I want multiple roadwarriors to connect, with X.509 > certificates, and I leave srcid blank, won't the authentication occur > with the client IP, for which I certainly won't have a CERTIP > certificate because the IP is undetermined?
Ok, if I specify srcid but no dstid, then multiple clients can connect. Maybe I missed something but it wasn't obvious that this would work, reading ipsec.conf(5) and isakmpd(8). -- albert chin ([EMAIL PROTECTED])
