[Openswan dev] Pluto respawns with rightid=%fromcert

Tuomo Soini tis at foobar.fi
Thu Dec 11 11:44:17 EST 2008

Hash: SHA1

Nicolas Bellido Y Ortega wrote:
> Following a thread on the user list [*], pluto receives a SIGABRT and
> respawns itself when rightid=%fromcert is present in ipsec.conf.
> The setup is the following (for a more complete description, please
> have a look at the thread on the user list):
> I want two peers ('Left' and 'Right') to communicate through an IPSec
> tunnel:
>   Left [] <--------> Right []
> I want them to authenticate themselves based on their certificate, and
> the certs to be validated against each other's CA root cert.
> That is, I want Right to authenticate with its cert onto Left, and Left
> to validate Right's cert based on Right's CA root cert.
> Similarly, Right validates Left's cert against Left's CA root cert.
> Left is configured as follows:
> version	2.0
> config setup
> 	nat_traversal=yes
> 	OE=off
> 	protostack=netkey
> 	dumpdir=/tmp # Only here for debug
> conn left-right-vpn
> 	left=
> 	leftcert=/etc/ipsec.d/certs/leftCert.pem
> 	leftsendcert=always
> 	right=%any
> 	rightca=%any
> 	rightid=%fromcert
> 	auto=add

This config is totally wrong but it looks like config-parser will accept
it (wrongly). right=%any and rightid=%fromcert is invalid combination.
Fromcert can only load id from locally stored certificate!

- --
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
Version: GnuPG v1.4.5 (GNU/Linux)


More information about the Dev mailing list