[Openswan Users] PSK works, certificates not

Arno Lehmann al at its-lehmann.de
Tue Jul 17 19:34:30 EDT 2007


Hi,

18.07.2007 01:11,, Paul Wouters wrote::
> On Wed, 18 Jul 2007, Arno Lehmann wrote:
> 
>> That works:
>>> balrog:~ # ipsec auto --listall
>>> 000
>>> 000 List of Public Keys:
>>> 000
>>> 000 Jul 17 11:39:30 2007, 4096 RSA Key AwEAAfYjK, until Jul 16 11:04:36 2008 ok
> 
> Ahh, 4096 bit keys cause IKE fragmentation, and will run into additional problems.
> Stick to 1024 until there is IKEv2 support.

I read about that, but my observations revealed only udp packets of 
500 to 600 bytes length... anyway, I'll try that tomorrow. And thanks 
for the suggestion!

>> Do I correctly assume that this key can be correlated to certificates
>> by its ID_USER_FQDN as well as its ID_DER_ASN1_DN?
> 
> YEs, but you shouldn't need to use any.

I know that, but I try to understand what I'm setting up :-)

>> My limited knowledge of IPsec et al doesn't tell me how that could be
>> handled better... I assume that, at this point in the IPsec
>> conversation, the server already works in "encrypted mode" and has to
>> interpret all data according to its decrytption rules. The client
>> then, when it decides it can't use encryption, simply has no way of
>> transmitting a valid response. (I'm sure this has been discussed among
>> the people actually coding IPsec stacks, but currently I don not want
>> to learn about these details :-)
> 
> One end decided the crypto could not be estalbished. The other end thinks
> the first end can do crypto and starts sending crypted packets which gets
> dropped. This tends to happen only to Windows, which assumes too quickly
> that crypto is active, instead of waiting for the last confirmation message.

Ah, thanks for the clarification... so it's actually just the opposite 
of what I assumed.

Arno

> Paul

-- 
Arno Lehmann
IT-Service Lehmann
www.its-lehmann.de


More information about the Users mailing list