[Openswan Users] help with bug 348

Chris Haumesser chris at osafoundation.org
Fri Mar 24 17:05:28 CET 2006

Paul Wouters wrote:

> There does seem to be a bug in this. Does changing the order of the two
> conns make the problem go away? Or does it move the problem to the
> other conn?

It seems to move it to the other conn.  It doesn't seem to matter which
order I have the conns listed in the config, nor does the alphabetical
order seem to matter.

If I bring up openswan, and the first right=%any connection to the VPN
is via x509, then subsequent right=%any PSK conn fails.  Conversely, if
the first right=%any connection to openswan is via PSK, then subsequent
right=%any x509 conns fail.

It seems that I can only have one of the connections active at once.

For example, let's say that the first connection to openswan is via PSK,
rendering x509 unusable.

Then I remove the PSK conn, by issuing ipsec auto --down road-a-psk;
ipsec auto --delete road-a-psk.

Once I do bring down the PSK conn, if I do ipsec auto --up road-b-x509,
my x509 connections start working (though of course this breaks PSK).

Finally, if I try to reactivate the PSK connection (ipsec auto --add
road-a-psk) while the x509 conn is still up, I get the following errors:

023 authentication method disagrees with "road-b-x509", which is also
for an unspecified peer
037 attempt to load incomplete connection

The inverse is true also; that is, the connection order doesn't matter.
 Whichever connection openswan receives first is the one that works
until openswan is either restarted, or the connections are manually
shuffled as above.


Chris Haumesser
Systems Administrator
  Kapor Enterprises, Inc.
  Open Source Applications Foundation
  Level Playing Field Institute

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20060324/c1e645da/signature.bin

More information about the Users mailing list