[Openswan Users] left/rightsendcert=always questions
Ken Bantoft
ken at xelerance.com
Fri May 14 06:05:04 CEST 2004
On Thu, 13 May 2004, Nate Carlson wrote:
> Hey guys!
>
> I've been working with 2.1.2 cvs connecting to a SFS 1.99.3 server, if you
> don't recall my previous message.
>
> Ran into a problem where if the certificate wasn't cached on the server
> side (from a different connection from a fs2.04/sfs host), it would reject
> the connection from the Openswan box with the following:
>
> May 13 16:18:53 vpn-gw pluto[7424]: "roadwarrior-colonet"[4] 65.193.16.110 #3: no RSA public key known for '<x509 id>'
> May 13 16:18:53 vpn-gw pluto[7424]: "rw"[4] 65.193.16.110 #3: sending notification INVALID_KEY_INFORMATION to 65.193.16.110:500
>
> If I make a connection from a sfs/fs box before hand with that cert, and
> it's cached on the gateway, it's no problem. Also, if I add the
> left/rightsendcert=always options to the openswan gateway, it works fine.
>
> Is this actually a bug in Openswan (I'd think that it'd send the cert if
> it needed it), or is it a bug in SFS (not asking for the certificate)?
Good question - I wish the RFC's answered this. Some vendors ask for a
cert, and some assume the cert will be sent. There is much controversy
over what is the 'most secure' mechansism. The current default (ifasked)
sends only when requested. I'm seriously tempted to set it to =always,
however people have raised concerns that it's a security hole, as you
'leak' data to anyone who initiates an IPsec connection to you. I haven't
forumlated an opinion on which is better, so I'm open to suggestions.
> Also, is there more documentation on the Xsendcert option somewhere?
Not yet... it needs to be written. Yet another item on my
never-ending-swan TODO list :(
--
Ken Bantoft VP Business Development
ken at xelerance.com Xelerance Corporation
sip://toronto.xelerance.com http://www.xelerance.com
The future is here. It's just not evenly distributed yet.
-- William Gibson
More information about the Users
mailing list