[Openswan Users] PSK works, certificates not

Paul Wouters paul at xelerance.com
Tue Jul 17 19:11:48 EDT 2007

On Wed, 18 Jul 2007, Arno Lehmann wrote:

> That works:
> > balrog:~ # ipsec auto --listall
> > 000
> > 000 List of Public Keys:
> > 000
> > 000 Jul 17 11:39:30 2007, 4096 RSA Key AwEAAfYjK, until Jul 16 11:04:36 2008 ok

Ahh, 4096 bit keys cause IKE fragmentation, and will run into additional problems.
Stick to 1024 until there is IKEv2 support.

> Do I correctly assume that this key can be correlated to certificates
> by its ID_USER_FQDN as well as its ID_DER_ASN1_DN?

YEs, but you shouldn't need to use any.

> My limited knowledge of IPsec et al doesn't tell me how that could be
> handled better... I assume that, at this point in the IPsec
> conversation, the server already works in "encrypted mode" and has to
> interpret all data according to its decrytption rules. The client
> then, when it decides it can't use encryption, simply has no way of
> transmitting a valid response. (I'm sure this has been discussed among
> the people actually coding IPsec stacks, but currently I don not want
> to learn about these details :-)

One end decided the crypto could not be estalbished. The other end thinks
the first end can do crypto and starts sending crypted packets which gets
dropped. This tends to happen only to Windows, which assumes too quickly
that crypto is active, instead of waiting for the last confirmation message.

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list