On 2010-03-30, a b <rclo...@yahoo.co.uk> wrote: > Hello List, > > I've got this config that is working beautifully :
> #ROAD > WARRIOR > ike passive from 10.1.2.3 to 10.9.8.0/24 \ > peer any \ > main auth > hmac-sha2-256 enc aes-256 group modp2048 \ > quick auth hmac-sha2-256 enc > aes-256 \ > srcid 192.168.111.1 dstid a...@example.com \ > psk > some_very_long_and_complicated_key \ > tag RoadRunner > > However, if I go and > copy/paste that snipped in order to lazily create a second user : > > #ROAD > WARRIOR > ike passive from 10.1.2.4 to 10.9.8.0/24 \ > peer any \ > main auth > hmac-sha2-256 enc aes-256 group modp2048 \ > quick auth hmac-sha2-256 enc > aes-256 \ > srcid 192.168.111.1 dstid b...@example.com \ > psk > another_very_long_and_complicated_key \ > tag RoadRunner > > Changing only the > from,dstid and psk parameters..... in other words : you can only have one "peer any" configured. therefore if you want to have users connecting from unknown addresses, they must either use the same psk, or use keys instead. or, to put it another way, if you want each user to have a separate psk, you need to know IP addresses in advance. (you can have one psk per known address, and a fallback default psk for any other connections). to get a better understanding: try 'ipsecctl -nvf /etc/ipsec.conf' and compare the output with the two rules; notice which section the psk appears in and try setting an address with 'peer 1.1.1.1' instead of 'peer any' to see what happens.
