Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IPsec : remote user.

1 view
Skip to first unread message

je cheol

unread,
Oct 4, 2000, 3:00:00 AM10/4/00
to
I appreciate response about remote-user-config.
I know the reason that in Multiuser configurations (mobile users),
we must use AGGRESSIVE mode.Why is Because we don't know
mobile user's IP, and in order to connect IKE we must use peer'ID
instead of peer's IP. And in AGGRESSIVE mode the ID is sent over
at an earlier stage of the negotiation.
But I don't know how to config other password for each user.
I want to know how in [Phase 1] we can describe each user's [phase1]
by ID(FQDN) instead of IP-address.

see below.( at isakmpd.conf )
:
:
[Phase 1]
_user1 ID_= ISAKMP-user1-config # instead of : _peer1 IP_= ISAKMP-peer1-config
_user2 ID_= ISAKMP-user2-config # instead of : _peer2 IP_= ISAKMP-peer2-config
_user3 ID_= ISAKMP-user3-config # instead of : _peer3 IP_= ISAKMP-peer3-config
:
:
Only In this way, I think we can correctly config different password
for remote-user because of one 'Authentication=' tag per section.

p.s> When I use public key authentication for multi-user-config , It works well.


Craig Anderson

unread,
Oct 6, 2000, 3:00:00 AM10/6/00
to

On Thu, 5 Oct 2000, Angelos D. Keromytis wrote:

>
> In message <000c01c02de0$34955520$db02040b@jchshin>, "je cheol" writes:
> >But I don't know how to config other password for each user.
> >I want to know how in [Phase 1] we can describe each user's [phase1]
> >by ID(FQDN) instead of IP-address.
>

> Well, if your client's ID is an FQDN like "foo.bar.com", then you
> can have on the server's isakmpd.conf a section like this:
>
> [foo.bar.com]
> Authentication= mekmitasdigoat
>

<--( SNIP )-->

Helu,

Maybe someone can add the multi-user configuration ( with dynamic
clients ) to the IPSec documentation, since it seems to be a FAQ.


-- Craig

Angelos D. Keromytis

unread,
Oct 6, 2000, 3:00:00 AM10/6/00
to

In message <000c01c02de0$34955520$db02040b@jchshin>, "je cheol" writes:
>But I don't know how to config other password for each user.
>I want to know how in [Phase 1] we can describe each user's [phase1]
>by ID(FQDN) instead of IP-address.

Well, if your client's ID is an FQDN like "foo.bar.com", then you
can have on the server's isakmpd.conf a section like this:

[foo.bar.com]
Authentication= mekmitasdigoat

-Angelos

je cheol

unread,
Oct 6, 2000, 3:00:00 AM10/6/00
to
Thanks for your response.....It works well.
If there would be this way in opensbd site, I would be more happy..
This must be inserted in section pointed by 'Default='.
Once more, I appreciate help....
0 new messages