[Openswan dev] Pluto respawns with rightid=%fromcert
Tuomo Soini
tis at foobar.fi
Thu Dec 11 11:44:17 EST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Nicolas Bellido Y Ortega wrote:
> Following a thread on the user list [*], pluto receives a SIGABRT and
> respawns itself when rightid=%fromcert is present in ipsec.conf.
>
> The setup is the following (for a more complete description, please
> have a look at the thread on the user list):
>
> I want two peers ('Left' and 'Right') to communicate through an IPSec
> tunnel:
>
> Left [10.0.5.83] <--------> Right [10.0.5.110]
>
> I want them to authenticate themselves based on their certificate, and
> the certs to be validated against each other's CA root cert.
>
> That is, I want Right to authenticate with its cert onto Left, and Left
> to validate Right's cert based on Right's CA root cert.
> Similarly, Right validates Left's cert against Left's CA root cert.
>
> Left is configured as follows:
>
> version 2.0
> config setup
> nat_traversal=yes
> OE=off
> protostack=netkey
> dumpdir=/tmp # Only here for debug
> conn left-right-vpn
> left=10.0.5.83
> leftcert=/etc/ipsec.d/certs/leftCert.pem
> leftsendcert=always
> right=%any
> rightca=%any
> rightid=%fromcert
> auto=add
This config is totally wrong but it looks like config-parser will accept
it (wrongly). right=%any and rightid=%fromcert is invalid combination.
Fromcert can only load id from locally stored certificate!
- --
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFJQUNhTlrZKzwul1ERAtopAJ9LrHDdGB1rPBVmLvA8yBZJbzSlEQCdGnM1
B1bXpIaxxV7uBK45kADXZSM=
=NPu5
-----END PGP SIGNATURE-----
More information about the Dev
mailing list