[Openswan Users] help with bug 348

Paul Wouters paul at xelerance.com
Thu Mar 23 23:00:52 CET 2006

On Wed, 22 Mar 2006, Chris Haumesser wrote:

> Thanks, Paul.  I've followed your advice, and removed the authby pipe
> syntax from my configs, and added the leftid lines you suggested (please
> see below in case I'm still doing something syntactically incorrect).

It looks right.

> I still have a problem though, somewhere.  When I try to connect with a
> PSK, openswan insists on matching it to my x.509 conn, which obviously
> fails; and openswan never even tries the PSK connection.

Okay. I will create a new test case for this today.

> Can you (anyone?) comment at all on bug 348, and/or the procedure
> openswan uses to match incoming connections?  I.e., what factors
> determine which conn entry openswan will try to match first, especially
> in the case of multiple right=%any connections?

Our developers are catching up from IETF engagements, so they are a little
busy now.

> Just to be clear, it is *possible* to have one PSK plus one or more x509
> connections with right=%any, correct?

It should be possible, yes.

> Connection matching seems rather opaque to me, and I feel like I must
> still be missing something...

There does seem to be a bug in this. Does changing the order of the two
conns make the problem go away? Or does it move the problem to the
other conn?


More information about the Users mailing list