how to specify domain name in ipsec.secrets

Hello,

I have ipsec working using pre-shared keys with a NATed
WinXP client. 
My ipsec host is on a machine with a dynamic IP, so I don't
want to have 
to specify the host IP in any of the configuration files.

Currently in ipsec.secrets I have:

68.149.172.106 %any: PSK "secret"

 From the manual page, I think I should be able to replace
it with:

vpn.northfolk.ca %any: PSK "secret"

but this doesn't work and I get the following message in my
log:

Dec  6 12:25:33 aurora pluto[6881]: "L2TP-PSK"[4]
198.166.253.177 #4: 
Can't authenticate: no preshared key found for
`68.149.172.106' and 
`%any'.  Attribute OAKLEY_AUTHENTICATION_METHOD

This makes me think that the name is not being properly
resolved.  How 
can I get this to work?

Thanks.

-- 
Chris

_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155

Chris Purves wrote:
> Hello,
> 
> I have ipsec working using pre-shared keys with a NATed
WinXP client. 
> My ipsec host is on a machine with a dynamic IP, so I
don't want to have 
> to specify the host IP in any of the configuration
files.
> 
> Currently in ipsec.secrets I have:
> 
> 68.149.172.106 %any: PSK "secret"
> 
>  From the manual page, I think I should be able to
replace it with:
> 
> vpn.northfolk.ca %any: PSK "secret"
> 
> but this doesn't work and I get the following message
in my log:
> 
> Dec  6 12:25:33 aurora pluto[6881]:
"L2TP-PSK"[4] 198.166.253.177 #4: 
> Can't authenticate: no preshared key found for
`68.149.172.106' and 
> `%any'.  Attribute OAKLEY_AUTHENTICATION_METHOD
> 
> This makes me think that the name is not being properly
resolved.  How 
> can I get this to work?
> 

Okay, I was able to get it to work by adding:

leftid=vpn.northfolk.ca to ipsec.conf


-- 
Chris

_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155

On Wed, 6 Dec 2006, Chris Purves wrote:

> I have ipsec working using pre-shared keys with a NATed
WinXP client.
> My ipsec host is on a machine with a dynamic IP, so I
don't want to have
> to specify the host IP in any of the configuration
files.
>
> Currently in ipsec.secrets I have:
>
> 68.149.172.106 %any: PSK "secret"
>
>  From the manual page, I think I should be able to
replace it with:
>
> vpn.northfolk.ca %any: PSK "secret"
>
> but this doesn't work and I get the following message
in my log:

no, you cannot combine id with PSK, since the ID is sent after
the
PSK has been used. The "" can only be used for
RSA keys.

> This makes me think that the name is not being properly
resolved.  How
> can I get this to work?

Just use "%any" without anything else. Yes, it
means you can only have one
PSK for all roadwarriors. If that is a problem, switch to
X.509.

Paul
-- 
Building and integrating Virtual Private Networks with
Openswan:
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155

On Wed, 6 Dec 2006, Chris Purves wrote:

> Okay, I was able to get it to work by adding:
>
> leftid=vpn.northfolk.ca to ipsec.conf

I guess it works for local ID's 

Paul
-- 
Building and integrating Virtual Private Networks with
Openswan:
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155