[Openswan Users] WLAN IPsec implementation

Bryan McAninch bryan at mcaninch.org
Sun May 15 11:58:58 CEST 2005 

I agree - certs are far more secure than PSK's. What had happened, is that I
had been using certs when my laptop was running win2k, but I recently
re-installed and I'm now using XP. I'm currently running XP SP2, without any
host-based firewalling or ICS (if that helps narrow things down).

As for the overlapping keys - I've also recently upgraded OpenSWAN from
2.2.1 to 2.3.1, so you are likely correct about the former bug. I just
continued using the same configuration from 2.2.1 after upgrading to 2.3.1.
I have not yet seen any overlapping keys, but I'll tinker with some settings
and report anything that looks quarky.

Thanks,

Bryan

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Sunday, May 15, 2005 4:58 AM
To: Bryan McAninch
Cc: 'Zach'; users at openswan.org
Subject: RE: [Openswan Users] WLAN IPsec implementation

On Sat, 14 May 2005, Bryan McAninch wrote:

> I would recommend using a PSK instead of x.509, as I've encountered 
> problems during Phase 1 with XP/x.509 - namely "Hash Payload has an
unknown value".
> Also, XP (as well 2k) supports PFS, so use it if you can.

I will test to see if that hash payload issue is related to PSK or X.509.
In general, it is REALLY much better to use X.509 then PSK. PSK is bad, and
it gets worse with NAT traversal.

> As you can see, the above configuration allows my laptop to access 
> anything (leftsubnet=0.0.0.0/0), assuming it's permitted by the 
> firewall policy, via the IPSec over 802.11 connection. I also use the 
> 'rekey=no' option with Windows client since without it, I get numerous 
> amounts of overlapping Phase
> 1 & 2 SA's (which consumes valuable resources on the 400MHz/128M FW/VPN).

You should use rekey=no on the server, since if you close your laptop you
want the server to stop trying to rekey the connection.
However, you should not see overlapping SA's. There was a bug in 2.2.x, but
that should have been fixed. Is it possible for you to use 2.3.x and try and
trigger these to see if this is not a new issue?

Paul

More information about the Users mailing list