[Openswan Users] help with bug 348

[Chris Haumesser]

Paul Wouters wrote:

> There does seem to be a bug in this. Does changing the order of the two
> conns make the problem go away? Or does it move the problem to the
> other conn?

It seems to move it to the other conn.  It doesn't seem to matter which
order I have the conns listed in the config, nor does the alphabetical
order seem to matter.

If I bring up openswan, and the first right=%any connection to the VPN
is via x509, then subsequent right=%any PSK conn fails.  Conversely, if
the first right=%any connection to openswan is via PSK, then subsequent
right=%any x509 conns fail.

It seems that I can only have one of the connections active at once.

For example, let's say that the first connection to openswan is via PSK,
rendering x509 unusable.

Then I remove the PSK conn, by issuing ipsec auto --down road-a-psk;
ipsec auto --delete road-a-psk.

Once I do bring down the PSK conn, if I do ipsec auto --up road-b-x509,
my x509 connections start working (though of course this breaks PSK).

Finally, if I try to reactivate the PSK connection (ipsec auto --add
road-a-psk) while the x509 conn is still up, I get the following errors:

023 authentication method disagrees with "road-b-x509", which is also
for an unspecified peer
037 attempt to load incomplete connection

The inverse is true also; that is, the connection order doesn't matter.
 Whichever connection openswan receives first is the one that works
until openswan is either restarted, or the connections are manually
shuffled as above.


-C-



-- 
Chris Haumesser
Systems Administrator
  Kapor Enterprises, Inc.
  Open Source Applications Foundation
  Level Playing Field Institute

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20060324/c1e645da/signature.bin