<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Ok the problem with vhost:%no,%priv has to do with "rightsubnets" (not
the trailing s) - with "rightsubnet" (no trailing s) it worked fine.
Still getting the address family error, though... any ideas?<br>
<br>
Diego Rivera wrote:
<blockquote cite="mid:4A7F42DF.1010800@rbxglobal.com" type="cite">
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
Ok.... I've applied your suggested changes except for the rightsubnets
- pluto keeps complaining that "vhost:%no,%private" is not a valid
subnet declaration.<br>
<br>
I'll have a look to see if XAUTHPAM is enabled in my build - else I'll
just rebuild it.<br>
<br>
Sadly, I've been unable to disable IPv6 on this box - could that be the
source of the grief? Also - our certificate has an intermediate CA
that needs to be shared (it had to be imported into the CISCO VPN
client) - would I need to provide reference to it for pluto?<br>
<br>
In racoon I had to run a process to produce a short, 4 byte value which
would then (in hex form) be used as the CA's file name(s ... there are
two in the chain), and store them in a specific place. How would that
work for pluto?<br>
<br>
Cheers.<br>
<br>
Paul Wouters wrote:
<blockquote
cite="mid:alpine.LFD.1.10.0908091702300.18844@newtla.xelerance.com"
type="cite">On Sun, 9 Aug 2009, Diego Rivera wrote: <br>
<br>
<blockquote type="cite">Yes - I knew what XAUTH was I just wasn't
sure if PAM would automatically <br>
be used as the authentication means or how to specify that it would be <br>
used. The reason I ask is because I also see that it's possible to <br>
create an htpasswd-type file with usernames and passwords in it - but
no <br>
documentation on how to specify which of the two methods to use (or if <br>
they can be combined in the same deployment, for instance, for two <br>
different endpoints). <br>
</blockquote>
<br>
You cannot combine the two. either PAM is used or the htpasswd file is <br>
used. It only depends on the setting of USE_XAUTHPAM <br>
<br>
<blockquote type="cite">Interesting that you should mention the
X.509
certificates - we used <br>
exactly that with Racoon, and no group secret (or rather, the group <br>
secret was ignored). I've drafted a tunnel configuration for this but
I <br>
can't seem to get it to come up - keeps complaining about "address
family <br>
inconsistency in this client connection". I'm sure it's just me being <br>
too dumb again: <br>
<br>
----- BEGIN XAUTH CONF ----- <br>
conn rbx-ras <br>
authby=secret <br>
leftid=%fromcert <br>
</blockquote>
<br>
That should be authby=rsasig <br>
<br>
<blockquote type="cite"> leftcert=/etc/openswan/ras.crt <br>
left=<my-public-ip> <br>
leftnexthop=%defaultroute <br>
leftsourceip=<my-private-ip> <br>
</blockquote>
<br>
leftsourceip= should not be used for roadwarriors, only for
subnet-subnet <br>
tunnels. <br>
<br>
<blockquote type="cite">
leftsubnets={<all-the-private-subnets>} <br>
leftxauthserver=yes <br>
leftmodecfgserver=yes <br>
right=%any <br>
rightnexthop=%defaultroute <br>
rightid=@RAS <br>
</blockquote>
<br>
rightid should be left out so multiple id's can connect. It will <br>
depend on the CA's loaded whether or not the client will be allowed. <br>
<br>
<blockquote type="cite"> rightxauthclient=yes <br>
rightmodecfgclient=yes <br>
</blockquote>
<br>
rightsubnets=vhost:%no,%priv is missing here for NAT'ed clients. <br>
<br>
<blockquote type="cite"> dpdaction=restart_by_peer <br>
</blockquote>
<br>
The server should not attempt to restart/rekey for dynamic IP <br>
roadwarriors. <br>
<br>
<blockquote type="cite"> dpddelay=30 <br>
dpdtimeout=60 <br>
pfs=yes <br>
ike=3des-md5-modp1024 <br>
esp=3des-md5-modp1024 <br>
aggrmode=yes <br>
salifetime=15m <br>
ikelifetime=1h <br>
rekeymargin=2m <br>
rekey=no <br>
auto=add <br>
------ END XAUTH CONF ------ <br>
</blockquote>
<br>
<blockquote type="cite">I already have just such rules in place -
I'm
just somewhat <br>
anal-rententive that way :) I like to be able to fully control <br>
everything I deploy so I don't inadvertently leave something hanging <br>
where it shouldn't. It's a shame that hasn't been done in such a
mature <br>
daemon... maybe a configuration such as <br>
"listenaddress={aaa.bbb.ccc.ddd:500 eee.fff.ggg.hhh:500}" ... ? <br>
</blockquote>
<br>
It's more complicated. What do you do when new IP addresses appear <br>
or disappear (and you'd have to distinguish those that by themselves <br>
come in via a tunnel. If someone writes a patch, we'll accept it after <br>
testing, but most people use dedicatd machines for IPsec servers, so <br>
they don't have an issue with listening to ANY. <br>
<br>
Paul <br>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<style type="text/css">
p { margin: 0; }
</style>
<div style="font-family: Arial; font-size: 10pt; color: rgb(0, 0, 0);"><font
size="1"> Diego Rivera<br>
Director / System Operations<br>
Roundbox Global : <span
style="font-style: italic; color: rgb(102, 102, 102);">enterprise :
technology : genius</span><br>
------------------------------------------------------------------------------------------------------------------<br>
Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica<br>
tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506)
2258-3695<br>
email: <a moz-do-not-send="true"
href="mailto:diego.rivera@rbxglobal.com">diego.rivera@rbxglobal.com</a>
| <a moz-do-not-send="true" href="http://www.rbxglobal.com">www.rbxglobal.com</a><br>
------------------------------------------------------------------------------------------------------------------<br>
</font> </div>
</div>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@openswan.org">Users@openswan.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<style type="text/css">
p { margin: 0; }
</style>
<div style="font-family: Arial; font-size: 10pt; color: rgb(0, 0, 0);">
<font size="1"> Diego Rivera<br>
Director / System Operations<br>
Roundbox Global : <span
style="font-style: italic; color: rgb(102, 102, 102);">enterprise :
technology : genius</span><br>
------------------------------------------------------------------------------------------------------------------<br>
Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica<br>
tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506)
2258-3695<br>
email: <a href="mailto:diego.rivera@rbxglobal.com">diego.rivera@rbxglobal.com</a>
| <a href="http://www.rbxglobal.com">www.rbxglobal.com</a><br>
------------------------------------------------------------------------------------------------------------------<br>
</font> </div>
</div>
</body>
</html>