[Openswan Users] help with bug 348

Paul Wouters paul at xelerance.com
Tue Mar 21 22:04:07 CET 2006

On Tue, 21 Mar 2006, Chris Haumesser wrote:

> I have two roadwarrior connections defined in my ipsec.conf: one using a
> PSK, and one using a CA.  The description/resolution of bug 348 says,
> "If Openswan tries to use the PSK conn entry with a certificates client,
> it realises it doesn't work because of the missing
> leftcert=ipsec-server.pem. It then tries the certificates conn entry,
> and works."
> My experience is inconsistent with this statement.  Has this behavior
> changed in recent versions of openswan?
> Using the workarounds suggested in the bug report, I was able to get
> openswan to always try the PSK connection first.  Everything works
> properly with PSK clients.  However, when I try to connect a client
> using a certificate, it continually tries to use the PSK connection to
> key, and never even attempts to key using the ca connection.
> I'm running openswan-2.4.5rc5 on linux- with KLIPS and NAT-T.

> conn roadwarrior-a-psk
>     auto=add
>     type=transport
>     authby=secret|rsasig
>     left=<my public ip>
>     leftprotoport=17/1701
>     leftrsasigkey=%cert
>     pfs=no

> conn roadwarrior-b-ca
>     auto=add
>     type=transport
>     authby=secret|rsasig
>     left=<my public ip>
>     leftprotoport=17/1701
>     leftcert=/etc/ipsec.d/certs/griswold-cert.pem
>     leftrsasig=%cert

Please DO NOT USE THE PIPE SYNTAX! It should fail. It will fail soon.

Specify a leftid=ip for the PSK, and specify the DN= from the server
certificate as leftid= for the X.509 connection

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list