[Openswan Users] RSA and RSA with XAUTH at the same machine?

Paul Wouters paul at xelerance.com
Mon Dec 15 12:36:40 EST 2008


On Mon, 15 Dec 2008, harald.meyer7 at freenet.de wrote:

> If you have several RSASIG (without xauth) conn entries in your ipsec.conf,
> the first one (denpends on order of adding) welcomes the road warrior
> in IKE phase 1.

No. Pluto cannot distinguish which of your conns is being picked because
all of their phase 1's are identical, so it just picks one. It later on
switches to the proper conn when it gets information that is different in
the phase 2.

> Within this conn section the road warriors identity/cert is checked, and
> only then it will be switched to the matching conn section - but too late:
> the xauth road warrior is declined at this point already. (See snippets
> below.)

This might be the problem. We'll have to add a testcase for it and see
if we can reproduce it.

You might be able to work around it using aggressive mode on the xauth
connection.

Paul


More information about the Users mailing list