[Openswan Users] help with bug 348

Chris Haumesser chris at osafoundation.org
Wed Mar 22 08:43:12 CET 2006 

Paul Wouters wrote:
 >>
 >> Please DO NOT USE THE PIPE SYNTAX! It should fail. It will fail soon.
 >>
 >> Specify a leftid=ip for the PSK, and specify the DN= from the server
 >> certificate as leftid= for the X.509 connection
 >>
 >> Paul

Thanks, Paul.  I've followed your advice, and removed the authby pipe
syntax from my configs, and added the leftid lines you suggested (please
see below in case I'm still doing something syntactically incorrect).

I still have a problem though, somewhere.  When I try to connect with a
PSK, openswan insists on matching it to my x.509 conn, which obviously
fails; and openswan never even tries the PSK connection.

Can you (anyone?) comment at all on bug 348, and/or the procedure
openswan uses to match incoming connections?  I.e., what factors
determine which conn entry openswan will try to match first, especially
in the case of multiple right=%any connections?

Just to be clear, it is *possible* to have one PSK plus one or more x509
connections with right=%any, correct?

Connection matching seems rather opaque to me, and I feel like I must
still be missing something...


from auth.log (xxx=xpclient,yyy=openswan):

packet from xxx.xxx.xxx.xxx:500: ignoring Vendor ID payload [MS NT5
ISAKMPOAKLEY 00000004]
packet from xxx.xxx.xxx.xxx:500: ignoring Vendor ID payload [FRAGMENTATION]
packet from xxx.xxx.xxx.xxx:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
nat-t detected, sending nat-t VID
find_host_connection called from main_inI1_outR1
find_host_pair: comparing to yyy.yyy.yyy.yyy:500 0.0.0.0:500
find_host_pair_conn (find_host_connection2): yyy.yyy.yyy.yyy:500
xxx.xxx.xxx.xxx:500 -> hp:none
find_host_connection called from main_inI1_outR1
find_host_pair: comparing to yyy.yyy.yyy.yyy:500 0.0.0.0:500
find_host_pair_conn (find_host_connection2): yyy.yyy.yyy.yyy:500
%any:500 -> hp:road-b-pki
find_host_pair: comparing to yyy.yyy.yyy.yyy:500 0.0.0.0:500
connect_to_host_pair: yyy.yyy.yyy.yyy:500 xxx.xxx.xxx.xxx:500 -> hp:none
instantiated "road-b-pki" for xxx.xxx.xxx.xxx
...
...
"road-b-pki"[5] xxx.xxx.xxx.xxx #5: policy does not allow
OAKLEY_PRESHARED_KEY authentication.  Attribute OAKLEY_AUTHENTICATION_METHOD




updated ipsec.conf:


conn road-a-psk
         authby=secret
         auto=start
         left=yyy.yyy.yyy.yyy
         leftid=yyy.yyy.yyy.yyy
         leftprotoport=17/1701
         pfs=no
         right=%any
         rightprotoport=17/%any
         rightsubnet=vhost:%priv,%no
         dpddelay=30
         dpdtimeout=120
         dpdaction=clear
         keyingretries=5

conn road-b-pki
         authby=rsasig
         auto=start
         left=yyy.yyy.yyy.yyy
         leftprotoport=17/1701
         leftcert=griswold-cert.pem

leftid="C=US,ST=California,O=Org,OU=IT,CN=vpnhost.domain.com,E=sysadmin at domain.com"
         pfs=no
         right=%any
         rightprotoport=17/%any
         rightrsasigkey=%cert
         rightca="C=US,ST=California,L=MyCity,O=Org,OU=IT,CN=VPN Root
CA,E=sysadmin at domain.com"
         rightsubnet=vhost:%priv,%no
         rightid=%cert
         dpddelay=30
         dpdtimeout=120
         dpdaction=clear
         keyingtries=10



-- 
Chris Haumesser
Systems Administrator
   Kapor Enterprises, Inc.
   Open Source Applications Foundation
   Level Playing Field Institute

More information about the Users mailing list