[Openswan Users] L2TP/IPsec X.509 and Dynamic RSA?
Peter McGill
petermcgill at goco.net
Fri Nov 17 10:04:39 EST 2006
Alright, my connection works without the L2TP/IPSec X.509 stuff.
But when I add that stuff, and restart both sides, it stops working, details follow.
ipsec.conf:
version 2.0
config setup
interfaces=%defaultroute
uniqueids=yes
crlcheckinterval=600
include /etc/ipsec.d/examples/no_oe.conf
conn mcgill-home-net-to-london-office-net
also=london-office
leftsubnet=172.21.0.0/16
alsoflip=mcgill-home
rightsubnet=10.0.0.0/24
auto=add
conn mcgill-home-net-to-london-office-server
also=london-office
alsoflip=mcgill-home
rightsubnet=10.0.0.0/24
auto=add
conn remote-client-to-london-office-server
left=66.11.74.93
leftnexthop=%defaultroute
leftid="/C=CA/ST=Ontario/O=Gra Ham Energy Limited/CN=sheridan.goco.net/emailAddress=hostmaster at goco.net"
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/sheridan.crt
leftprotoport=udp/l2tp
right=%any
rightid="/C=CA/ST=Ontario/L=*/O=Gra Ham Energy Limited/OU=*/CN=*/emailAddress=*"
rightca=%same
rightprotoport=udp/%any
pfs=no
rekey=no
keyingtries=3
authby=rsasig
auto=add
conn london-office
left=66.11.74.93
leftnexthop=%defaultroute
leftid=@sheridan.london.goco.net
leftrsasigkey=...removed...
conn mcgill-home
left=%any
leftid=@newton.mcgill.stmarys.on.ca
leftrsasigkey=...removed...
dpddelay=30
dpdtimeout=120
dpdaction=clear
ipsec.secrets:
# sheridan's RSA
66.11.74.93 @sheridan.london.goco.net
69.159.228.59 @delenn.stmarys.goco.net
209.162.226.246 @sinclair.paris.goco.net
69.63.33.181 @franklin.thorndale.goco.net
@newton.mcgill.stmarys.on.ca
: RSA {
...
removed
...
}
# sheridan's Certificate
66.11.74.93 @sheridan.london.goco.net
%any
: RSA /etc/ipsec.d/private/sheridan-private.key
/var/log/secure:
Phase 1 seems to connect ok, but Phase 2 never starts.
Nov 16 15:04:14 sheridan pluto[17085]: "mcgill-home-net-to-london-office-net"[1] 216.46.154.52 #30: STATE_MAIN_R3: sent MR3, ISAKMP
SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Nov 16 15:04:14 sheridan pluto[17085]: "mcgill-home-net-to-london-office-net"[1] 216.46.154.52 #30: Dead Peer Detection (RFC 3706):
enabled
Nov 16 15:04:14 sheridan pluto[17085]: "mcgill-home-net-to-london-office-net"[1] 216.46.154.52 #30: next payload type of ISAKMP Hash
Payload has an unknown value: 147
Nov 16 15:04:14 sheridan pluto[17085]: "mcgill-home-net-to-london-office-net"[1] 216.46.154.52 #30: malformed payload in packet
Nov 16 15:04:14 sheridan pluto[17085]: "mcgill-home-net-to-london-office-net"[1] 216.46.154.52 #30: sending notification
PAYLOAD_MALFORMED to 216.46.154.52:500
It seems that it's getting the right connection but not the right key?
This repeats and then Dead Peer Detection cleans up and deletes the connection instance.
Peter McGill
----- Original Message -----
From: "Paul Wouters" <paul at xelerance.com>
To: "Peter McGill" <petermcgill at goco.net>
Cc: <users at openswan.org>
Sent: Thursday, November 16, 2006 10:46 AM
Subject: Re: [Openswan Users] L2TP/IPsec X.509 and Dynamic RSA?
> On Thu, 16 Nov 2006, Peter McGill wrote:
>
>> But when I've tried in the past my home management connection has always gotten in
>> the way, they don't both seem to want to work, being both dynamic ips.
>>
>> Can I get these to work cooperatively, or is it useless to try?
>
> YEs you can. Make sure your home connection sets a leftid=@string1 and
> rightid=@string2. l2tp client swill use their DN as id, and should therefor
> fall into the other connection.
>
>> or do I have to completely redo the connection to use full L2TP/IPSec as well?
>
> Nope.
>
> Paul
More information about the Users
mailing list