<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
</style>
</head>
<body class='hmmessage'>
> > Ths issue seems to be using an ID of type ID_IPV4_ADDR. If we try the same connection using an ID of type ID_DER_ASN1_DN<br>> > (specified on the Netgear/right) and specify rightid = DN, the connection establishes as expected without having the<br>> > right's end certificate loaded on the left.<br>> > <br>> > In other words, when the Netgear identifies itself with it's WAN IP Address, OpenSWAN cannot seem to find the public key<br>> > unless that key is loaded locally and specified directly. If the Netgear identifies itself with it's DN, then no public<br>> > key needs to be loaded locally, but the id field does still need to know about the DN of the Netgear (right).<br>> <br>> Arguably, you've just described a misconfiguration that the Netgear allows, does not interoperate with Openswan.<br>> <br>> > The add_x509_public_key function is always adding in the key.id.kind as type ID_DER_ASN1_DN. I believe that the<br>> > connection type is varying from machine to machine, depending on settings (ie IP Address Type or DN Type), however the<br>> > key is always being added as ID_DER_ASN1_DN type. This makes the same_id function fail out.<br>> <br>> It should.<br>> <br>> > I would like to comment out the following code in an attempt to get OpenSWAN to continue on and connect with an ID type<br>> > of <IP Address>.<br>> > <br>> > Within /lib/libopenswan/id.c::same_id(const struct id *a, const struct id *b), this if statement checks ID Type of<br>> > pointer a and pointer b.<br>> > <br>> > if (a->kind != b->kind)<br>> > return FALSE;<br>> ><br>> > I do not know the repercussions of this code change within the OpenSWAN architecture.<br>> <br>> That will cause havoc if you also have a PSK defined for that IP address. It will mix up RSA vs PSK modes.<br>> <br>> I'd have to think about what we can do to allow this case to work, without breaking anything<br>> else. But you'll run into other issues too. If they propose based on ID_IPV4_ADDR. instead of<br>> ID_DER_ASN1_DN, then for instance we will also not send out any CERT payloads.<br>> <br>> Paul<br><br>Thanks Paul. <br><br>It sounds like the correct way to proceed is to set the Netgear to ID_DER_ASN1_DN when using certificates, and error out if the Netgear is misconfigured. I appreciate the insight. <br><br>Is it still true that %fromcert can only load the id from a locally stored certificate? Or can it be used to retrieve the DN from the certificate the Netgear sends over? <br><br>marcos<br><br><br /><hr />Insert movie times and more without leaving HotmailŪ. <a href='http://windowslive.com/Tutorial/Hotmail/QuickAdd?ocid=TXT_TAGLM_WL_HM_Tutorial_QuickAdd1_052009' target='_new'>See how.</a></body>
</html>