[Openswan Users] help with bug 348
chris at osafoundation.org
Fri Mar 24 17:05:28 CET 2006
Paul Wouters wrote:
> There does seem to be a bug in this. Does changing the order of the two
> conns make the problem go away? Or does it move the problem to the
> other conn?
It seems to move it to the other conn. It doesn't seem to matter which
order I have the conns listed in the config, nor does the alphabetical
order seem to matter.
If I bring up openswan, and the first right=%any connection to the VPN
is via x509, then subsequent right=%any PSK conn fails. Conversely, if
the first right=%any connection to openswan is via PSK, then subsequent
right=%any x509 conns fail.
It seems that I can only have one of the connections active at once.
For example, let's say that the first connection to openswan is via PSK,
rendering x509 unusable.
Then I remove the PSK conn, by issuing ipsec auto --down road-a-psk;
ipsec auto --delete road-a-psk.
Once I do bring down the PSK conn, if I do ipsec auto --up road-b-x509,
my x509 connections start working (though of course this breaks PSK).
Finally, if I try to reactivate the PSK connection (ipsec auto --add
road-a-psk) while the x509 conn is still up, I get the following errors:
023 authentication method disagrees with "road-b-x509", which is also
for an unspecified peer
037 attempt to load incomplete connection
The inverse is true also; that is, the connection order doesn't matter.
Whichever connection openswan receives first is the one that works
until openswan is either restarted, or the connections are manually
shuffled as above.
Kapor Enterprises, Inc.
Open Source Applications Foundation
Level Playing Field Institute
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20060324/c1e645da/signature.bin
More information about the Users