[Openswan Users] Cannot connect multiple connections from %any address using x.509 certs

[Lawrence Manning]

Hi list,

I have a problem with the following setup: multiple connections to a  
site where the remote IP addresses are unknown (ie. right=%any).  It  
seems that the  connection is going into the wrong connection slot.   
I am using openswan 2.4.6.  With an identical setup, I do not have  
any problems when using opeswan 1.0.10.

Here is the jist of the config:

version 2

config setup
         klipsdebug=none
         plutodebug=none
         plutowait=no
         uniqueids=yes
         nat_traversal=yes
         hidetos=no
         virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,% 
v4:192.168.0.0/16,%v4:
169.254.0.0/16,%v4:!192.168.72.0/255.255.255.0,%v4:! 
192.168.100.0/255.255.255.0,
%v4:!192.168.73.0/255.255.255.0
         interfaces="ipsec0=ethB ipsec1=ethA ipsec3=ethC ipsec4=ethD"

conn clear
         auto=ignore

conn clear-or-private
         auto=ignore

conn private-or-clear
         auto=ignore

conn private
         auto=ignore

conn block
         auto=ignore

conn packetdefault
         auto=ignore

conn conn78
         ike=aes128-md5
         esp=aes128-md5
         left=82.69.176.133
         leftnexthop=82.69.176.134
         right=%any
         leftsubnet=192.168.0.0/255.255.0.0
         rightsubnet=192.168.13.0/255.255.255.224
         leftid=@soton.smoothwall.net
         rightid=@tom.smoothwall.net
         leftcert=host43cert.pem
         leftrsasigkey=%cert
         rightrsasigkey=%cert
         authby=rsasig
         auth=esp
         pfs=yes
         keylife=240m
         ikelifetime=30m
         keyingtries=25
         compress=yes
         dpddelay=30
         dpdtimeout=120
         dpdaction=hold
         auto=add

conn conn146
         ike=aes128-md5
         esp=aes128-md5
         left=82.69.176.133
         leftnexthop=82.69.176.134
         right=%any
         leftsubnet=192.168.0.0/255.255.0.0
         rightsubnet=192.168.70.0/23
         leftid=@soton.smoothwall.net
         rightid=@fw.leeds.smoothwall.net
         leftcert=host43cert.pem
         leftrsasigkey=%cert
         rightrsasigkey=%cert
         authby=rsasig
         auth=esp
         pfs=yes
         keylife=240m
         ikelifetime=30m
         keyingtries=10
         compress=yes
         dpddelay=30
         dpdtimeout=120
         dpdaction=hold
         auto=add

The above shows two connections, but it dosn't matter how many I  
have: always when either of the above connection attempts are made,  
they end up in a different connection handler for another connection  
with right=%any and I have these lines in the log:

Oct 20 12:55:17 s_sys at linux pluto[23704]: "conn167"[140] 87.75.128.20  
#199: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_MD5,  
OAKLEY_GROUP_MODP1024] refused due to strict flag
Oct 20 12:55:17 s_sys at linux pluto[23704]: "conn167"[140] 87.75.128.20  
#199: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536  
supported.  Attribute OAKLEY_GROUP_DESCRIPTION

Curiously, if I --delete the connection and then --add it again the  
connection works.  It is as if the VPN server is trying to match the  
connection only with the first right=%any it finds.  Is this a bug?   
Or is my config somehow broken?  This identical setup (except for the  
"conn clear" etc lines works fine with openswan 1.0.10.

Thanks very much for any help,
-- 
Lawrence Manning
Lead Developer
Smoothwall Ltd. -  http://www.smoothwall.net/

This email and any attachments transmitted with it are confidential  
to the intended recipient(s) and may not be communicated to any other  
person or published by any means without the express  ermission of  
SmoothWall Limited. Any views expressed in this message are solely  
those of the author. See: http://www.smoothwall.net/emailnotice.html  
for the full text of this notice.



This email has been processed by SmoothZap - www.smoothwall.net