[Openswan Users] help with bug 348
Paul Wouters
paul at xelerance.com
Tue Mar 21 22:04:07 CET 2006
On Tue, 21 Mar 2006, Chris Haumesser wrote:
> I have two roadwarrior connections defined in my ipsec.conf: one using a
> PSK, and one using a CA. The description/resolution of bug 348 says,
> "If Openswan tries to use the PSK conn entry with a certificates client,
> it realises it doesn't work because of the missing
> leftcert=ipsec-server.pem. It then tries the certificates conn entry,
> and works."
>
> My experience is inconsistent with this statement. Has this behavior
> changed in recent versions of openswan?
>
> Using the workarounds suggested in the bug report, I was able to get
> openswan to always try the PSK connection first. Everything works
> properly with PSK clients. However, when I try to connect a client
> using a certificate, it continually tries to use the PSK connection to
> key, and never even attempts to key using the ca connection.
>
> I'm running openswan-2.4.5rc5 on linux-2.6.15.4 with KLIPS and NAT-T.
> conn roadwarrior-a-psk
> auto=add
> type=transport
> authby=secret|rsasig
> left=<my public ip>
> leftprotoport=17/1701
> leftrsasigkey=%cert
> pfs=no
> conn roadwarrior-b-ca
> auto=add
> type=transport
> authby=secret|rsasig
> left=<my public ip>
> leftprotoport=17/1701
> leftcert=/etc/ipsec.d/certs/griswold-cert.pem
> leftrsasig=%cert
Please DO NOT USE THE PIPE SYNTAX! It should fail. It will fail soon.
Specify a leftid=ip for the PSK, and specify the DN= from the server
certificate as leftid= for the X.509 connection
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list