[Openswan Users] help with bug 348

Chris Haumesser chris at osafoundation.org
Tue Mar 21 12:17:14 CET 2006 

I'm experiencing a problem that I believe is related to bug 348 (Fix
openswan picking the proper authby...):
http://bugs.xelerance.com/view.php?id=348

I have two roadwarrior connections defined in my ipsec.conf: one using a
PSK, and one using a CA.  The description/resolution of bug 348 says,
"If Openswan tries to use the PSK conn entry with a certificates client,
it realises it doesn't work because of the missing
leftcert=ipsec-server.pem. It then tries the certificates conn entry,
and works."

My experience is inconsistent with this statement.  Has this behavior
changed in recent versions of openswan?

Using the workarounds suggested in the bug report, I was able to get
openswan to always try the PSK connection first.  Everything works
properly with PSK clients.  However, when I try to connect a client
using a certificate, it continually tries to use the PSK connection to
key, and never even attempts to key using the ca connection.

I'm running openswan-2.4.5rc5 on linux-2.6.15.4 with KLIPS and NAT-T.

Below is my ipsec config.  Can anyone help?


version 2.0
config setup
    forwardcontrol=yes
    nat_traversal=yes
   
virtual_private=%v4:192.168.0.0/16,%v4:10.10.0.0/24,%v4:10.10.1.0/24,%v4:192.168.2.0/24,%v4:!192.168.101.0/24,%v4:!192.168.102.0/24,%v4:!10.13.10.0/24,%v4:!192.168.103.0/24,%v4:!192.168.99.0/24,%v4:!192.168.79.0/24
    overridemtu=1370

include /etc/ipsec.d/examples/no_oe.conf

conn roadwarrior-a-psk
    auto=add
    type=transport
    authby=secret|rsasig
    left=<my public ip>
    leftprotoport=17/1701
    leftrsasigkey=%cert
    pfs=no
    right=%any
    rightprotoport=17/%any
    rightrsasigkey=%cert
    rightsubnet=vhost:%priv,%no
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    keyingtries=3

conn roadwarrior-b-ca
    auto=add
    type=transport
    authby=secret|rsasig
    left=<my public ip>
    leftprotoport=17/1701
    leftcert=/etc/ipsec.d/certs/griswold-cert.pem
    leftrsasig=%cert
    pfs=no
    right=%any
    rightprotoport=17/%any
    rightrsasigkey=%cert
    rightsubnet=vhost:%priv,%no
    rightca="C=US,ST=California,L=Some City,O=MyCo,OU=IT,CN=VPN Root
CA,E=sysadmin at something.com"
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    keyingtries=10


-- 
Chris Haumesser
Systems Administrator
  Kapor Enterprises, Inc.
  Open Source Applications Foundation
  Level Playing Field Institute


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20060321/5835cb4f/signature-0001.bin

More information about the Users mailing list