[Openswan Users] L2TP/IPsec X.509 and Dynamic RSA?

Peter McGill petermcgill at goco.net
Fri Nov 17 12:32:28 EST 2006 

> On Fri, 17 Nov 2006, Peter McGill wrote:
> 
>> Alright, my connection works without the L2TP/IPSec X.509 stuff.
>> But when I add that stuff, and restart both sides, it stops working, details
>> follow.
> 
>> conn mcgill-home-net-to-london-office-net
>> conn mcgill-home-net-to-london-office-server
>> conn remote-client-to-london-office-server
> 
>> ipsec.secrets:
>> # sheridan's RSA
>> 66.11.74.93 @sheridan.london.goco.net
>>        69.159.228.59 @delenn.stmarys.goco.net
>>        209.162.226.246 @sinclair.paris.goco.net
>>        69.63.33.181 @franklin.thorndale.goco.net
>>        @newton.mcgill.stmarys.on.ca
>>        : RSA   {
>>        removed
>>        ...
>>        }
>>
>> # sheridan's Certificate
>> 66.11.74.93 @sheridan.london.goco.net
>>      %any
>>      : RSA /etc/ipsec.d/private/sheridan-private.key
> 
> Can you try only putting sheridan's "id" into the raw RSA key line
> asidentifier, and then not put the "@sheridan.london.goco.net" in
> the key file identifier. Right now, "@sheridan.london.goco.net"
> appears for both RSA keys, so pluto can pick the wrong one.
> 
> Paul

Right, I missed that.

I changed ipsec.secrets to:
# sheridan's Certificate
66.11.74.93 "/C=CA/ST=Ontario/O=Gra Ham Energy Limited/CN=sheridan.goco.net/emailAddress=hostmaster at goco.net"
        %any
        : RSA /etc/ipsec.d/private/sheridan-private.key

Now both IPSec connections, seem to coexist without getting in each others way, thanks.
The mcgill-home... connection connected fine.
Then I connected using the remote-client...
It logged a little funny but worked ok, without interrupting the other connection.
At first it thought it was the mcgill-home... conn, until it recieved the id, then it switched to useing remote-client... conn.
But I guess that's too be expected, as it can't tell which conn to use until it recieves the id.
I did receive the same error as before too, the PAYLOAD_MALFORMED.
But then it went ahead and established the Phase 2, IPSec SA alright, anyway, so I guess that's ok too.
Thanks for you help.

Peter

More information about the Users mailing list