<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#ffffff" text="#000000">
Paul,<br>
<br>
I've tried to go back over earlier 2.6.x versions from the download
site. 2.6.14 and 2.6.16 won't compile so I can't test. 2.6.18 will
compile (release notes indicate a bug fix for Centos on which
ClarkConnect is based) and It runs. It shows the same problems with
multiple passwords as 2.6.21 and 2.6.22.<br>
<br>
BTW, the ipsec.secrets file I listed below should have the %any
removed. I do not normally have it in the file as it does not work for
2.4.x. I put it in to try to get 2.6.21 to work correctly but it made
no difference.<br>
<br>
Regards,<br>
<br>
Nick<br>
<br>
p.s. I am now at 2.4.15 which is fine.<br>
<br>
-------- Original Message --------
<table class="moz-email-headers-table" border="0" cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Subject: </th>
<td>Re: [Openswan Users] Upgrade 2.4.14 -> 2.6.21 Problem with
secrets</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Date: </th>
<td>Tue, 23 Jun 2009 18:34:44 +0100</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">From: </th>
<td>Nick Howitt <a class="moz-txt-link-rfc2396E" href="mailto:n1ck.h0w1tt@gmail.com"><n1ck.h0w1tt@gmail.com></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">To: </th>
<td>Paul Wouters <a class="moz-txt-link-rfc2396E" href="mailto:paul@xelerance.com"><paul@xelerance.com></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">CC: </th>
<td><a class="moz-txt-link-abbreviated" href="mailto:users@openswan.org">users@openswan.org</a></td>
</tr>
</tbody>
</table>
<br>
<br>
<pre>Paul,
I've tested again changing USE_DYNAMICDNS?= back to false and it made no
difference. It still uses the first secret.
I've had to downgrade back to 2.4.14 (soon to be .15!) in order to keep
the two tunnels up.
Regards,
Nick
On 22/06/2009 21:27, Paul Wouters wrote:
> On Mon, 22 Jun 2009, Nick Howitt wrote:
>
>> I have just upgraded from 2.4.14 to 2.6.21 and I've hit an issue with
>> ipsec.secrets.
>
> There should not be any differences there...
>
>> leftnexthop=%defaultroute
>> keylife=28800s # (2.6.x only) # salifetime and
>> lifetime do not work as aliases
>> ikelifetime=28800s # (2.6.x only)
>
> I am confused how that does not work, from keywords.c:
>
> {"keylife", kv_conn|kv_auto|kv_alias, kt_time,
> KBF_SALIFETIME,NOT_ENUM},
> {"lifetime", kv_conn|kv_auto|kv_alias, kt_time,
> KBF_SALIFETIME,NOT_ENUM},
> {"salifetime", kv_conn|kv_auto, kt_time,
> KBF_SALIFETIME,NOT_ENUM},
> {"ikelifetime", kv_conn|kv_auto, kt_time,
> KBF_IKELIFETIME,NOT_ENUM},
>
> Can you explain what "does not work" about those keywords?
>
>> and ipsec.secrets
>> %any : PSK "DialInSecret"
>> my.FQDN MumOut.FQDN : PSK "MumOutRouter'sSecret"
>>
>> This worked absolutely fine in 2.4.14. I have compiled 2.6.21 with
>> USE_DYNAMICDNS?=true and it no longer works.
>
> You can try and reverse the two entries, making the most specific one
> match first. David has a patch that should allow better picking with %any
> in the secrets, and I'll see about applying that shortly.
>
>> The documentation says the best match is used so for conn MumOut it
>> should pick up the second secret. In this scenario I cannot connect to
>> MumOut. If I switch the lines round in ipsec.secrets, I get the same
>> message and conn Mark is never able to establish with the following
>> message:
>
> Hmm, so much for that idea then...
>
>> I do not even see how conn Mark should be matching "my.FQDN MumOut.FQDN
>> : PSK "MumOutRouter'sSecret" as MumOut.FQDN resolves to a completely
>> different IP address to the one which is initiating the connection.
>
> Note that secrets are read on startup.
>
> bug me in a few days if you have not seen me picking this up.
>
> Paul
</pre>
</body>
</html>