Thanks for the input.  I'll give it a try and let you know how it goes.
 
frank


From: Jaco Kroon [mailto:jaco@uls.co.za]
Sent: Tuesday, December 13, 2011 23:42
To: Frank Renwick
Cc: ipsec-tools-devel@lists.sourceforge.net
Subject: Re: [Ipsec-tools-devel] group password in ipsec-tools

Hi,

Doubt this will ever get merged mainline but I use the attached patch to set a "default" PSK if it can't be normally located.

Tested and in use at at least four different sites.  Diff is against ipsec-tools-0.8.0.

Not as granular as 10.0.0.0/8 style thing, but the code would be MUCH harder to write, and seeing that I use this with L2TP/IPSec where I really do need the same PSK for the entire internet it's sufficient for my requirements.

Kind Regards,
Jaco

On 12/14/11 00:26, Frank Renwick wrote:
Hello,
 
Hopefully, the following is an appropriate topic for this forum.  If not, don't hesitate to let me know.
 
I'm writing in search of a way to specify a single ISAKMP pre-shared key
to cover a set of VPN endpoints I'm running in an environment where I want to
share one key between a set of endpoints without manually
defining a separate line in psk.txt for each endpoint.  (Specifically,
I'm using opennhrp, a software package that builds on-demand IPSec
tunnels between endpoints whose IP addresses are unknown apriori.)
 
At present, the only configuration solution I've found is to manually
identify all of the endpoints in psk.txt:
  
10,10,1,1 this-is-my-key
10.20.1.1 this-is-my-key
...
10.30.1.1 this-is-my-key
 
On Cisco routers, there is a capability to use a single ISAKMP key 
to cover an entire subnet.  Example include:
 
crypto isakmp key this-is-my-key address 10.0.0,0 255.0.0.0 (covers all of 10.0.0/8)
OR
crypto isakmp key this-is-my-key address 0.0.0.0 0.0.0.0  (allows any
IP to connect with this ISAKMP key)
 
A similar option does not appear to be availalbe in ipsec-tools.  Am I mistaken?
 
I am using ipsec-tools version 0.8.0:
 
[root]# racoon -V
@(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
 
Compiled with:
- OpenSSL 1.0.0d-fips 8 Feb 2011 (http://www.openssl.org/)
- IPv6 support
- Dead Peer Detection
- IKE fragmentation
- Hybrid authentication
- NAT Traversal
- Admin port
- Monotonic clock
- Security context
 
Thanks,
 
Frank Renwick


------------------------------------------------------------------------------
Systems Optimization Self Assessment
Improve efficiency and utilization of IT resources. Drive out cost and 
improve service delivery. Take 5 minutes to use this Systems Optimization 
Self Assessment. http://www.accelacomm.com/jaw/sdnl/114/51450054/


_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel