[Openswan Users] Re: your mail
Paul Wouters
paul at xelerance.com
Tue Nov 29 21:19:20 CET 2005
On Tue, 29 Nov 2005, utkarsh shah wrote:
> conn abc
> left=151.7.7.254
> leftsubnet=7.7.7.0/255.255.255.0
> leftnexthop=151.7.7.1
> right=%any
> authby=secret
> auto=add
> pfs=yes
> keylife=8h
> rekey=yes
> rekeymargin=10
> rekeyfuzz=0%
> keyingtries=10
> compress=yes
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
>
>
> conn rw_ltotp_test
> left=151.7.7.254
> leftsubnet=7.7.7.0/255.255.255.0
> leftnexthop=151.7.7.1
> right=%any
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> rightcert=ltotptest.pem
> auto=add
> pfs=yes
> keylife=8h
> rekey=yes
> rekeymargin=10
> rekeyfuzz=0%
> keyingtries=10
> compress=yes
> dpddelay=30
>
> my ipsec.secrets file is like
>
> : RSA elitecorevpnprivatekey.key "password"
>
> 151.7.7.254 %any : PSK "presharedkey"
>
>
> when I write both connection details and restart ipsec it works well but if I add a connection after restart it gives message like
>
> ipsec auto --replace rw_ltotp_test
> 023 authentication method disagrees with "abc", which is also for an unspecified peer
> 037 attempt to load incomplete connection
The connections are "too similar" for pluto to currently make a decision in
time to select for which of the two connections it is. It should figure
this out by the authby= but that happens too late currently.
Adding a rightid=@server and leftid=@client on the PSK connection on
the server (and the client configuration) should work around this.
Paul
More information about the Users
mailing list