[Openswan Users] Re: connection related problem

utkarsh shah utkarsh at elitecore.com
Wed Nov 30 10:42:29 CET 2005


Hi,

    Thanks for your help. I tried that but it didn't helped :-(

    But when I restart ipsec both connections are added and are in active
state.

    I am not 100% sure but in older version it was working.

    Thank you..

Regards,

Utkarsh Shah
----- Original Message ----- 
From: "Paul Wouters" <paul at xelerance.com>
To: "utkarsh shah" <utkarsh at elitecore.com>
Cc: <users at openswan.org>; "Jacco de Leeuw" <jacco2 at dds.nl>
Sent: Wednesday, November 30, 2005 1:49 AM
Subject: Re: your mail


> On Tue, 29 Nov 2005, utkarsh shah wrote:
>
> > conn abc
> >         left=151.7.7.254
> >         leftsubnet=7.7.7.0/255.255.255.0
> >         leftnexthop=151.7.7.1
> >         right=%any
> >         authby=secret
> >         auto=add
> >         pfs=yes
> >         keylife=8h
> >         rekey=yes
> >         rekeymargin=10
> >         rekeyfuzz=0%
> >         keyingtries=10
> >         compress=yes
> >         dpddelay=30
> >         dpdtimeout=120
> >         dpdaction=clear
> >
> >
> > conn rw_ltotp_test
> >         left=151.7.7.254
> >         leftsubnet=7.7.7.0/255.255.255.0
> >         leftnexthop=151.7.7.1
> >         right=%any
> >         authby=rsasig
> >         leftrsasigkey=%cert
> >         rightrsasigkey=%cert
> >         rightcert=ltotptest.pem
> >         auto=add
> >         pfs=yes
> >         keylife=8h
> >         rekey=yes
> >         rekeymargin=10
> >         rekeyfuzz=0%
> >         keyingtries=10
> >         compress=yes
> >         dpddelay=30
> >
> > my ipsec.secrets file is like
> >
> > : RSA elitecorevpnprivatekey.key "password"
> >
> > 151.7.7.254 %any : PSK "presharedkey"
> >
> >
> > when I write both connection details and restart ipsec it works well but
if I add a connection after restart it gives message like
> >
> >  ipsec auto --replace rw_ltotp_test
> > 023 authentication method disagrees with "abc", which is also for an
unspecified peer
> > 037 attempt to load incomplete connection
>
> The connections are "too similar" for pluto to currently make a decision
in
> time to select for which of the two connections it is. It should figure
> this out by the authby= but that happens too late currently.
>
> Adding a rightid=@server and leftid=@client on the PSK connection on
> the server (and the client configuration) should work around this.
>
> Paul
>



More information about the Users mailing list