[Openswan Users] RSA and RSA with XAUTH at the same machine?
harald.meyer7 at freenet.de
harald.meyer7 at freenet.de
Mon Dec 15 16:35:13 EST 2008
Hi Paul!
Thanks for sharing my problem!
> > If you have several RSASIG (without xauth) conn entries in your
> ipsec.conf,
> > the first one (denpends on order of adding) welcomes the road warrior
> > in IKE phase 1.
>
> No. Pluto cannot distinguish which of your conns is being picked because
> all of their phase 1's are identical, so it just picks one. It later on
> switches to the proper conn when it gets information that is different in
> the phase 2.
Ah, ok, sounds more precise. (I'd thougt that switching process to
the proper conn is in phase 1, already.)
> > Within this conn section the road warriors identity/cert is checked, and
> > only then it will be switched to the matching conn section - but too
> late:
> > the xauth road warrior is declined at this point already. (See snippets
> > below.)
>
> This might be the problem. We'll have to add a testcase for it and see
> if we can reproduce it.
Sounds like my requirement is really a problem, not a config issue. Huuu,
I'm not happy... Leads to a Linux update orgy, I suppose... (If someone is
able to correct this disadvantageous property.)
> You might be able to work around it using aggressive mode on the xauth
> connection.
I'm not sure if I understand you.
i. Aggressive Mode is better known als MITM Mode, I think. Am I right?
Agg. M. perhaps only works with PSKs?
ii. Isn't there the same problem: no combination of RSASIG/Main Mode and
Aggressive Mode at the same box? (And I'm not able to do without RSASIG/
Main Mode road warriors.)
(OMG, what a waste of time! And just for playing with iPhone... [Nobody has
an advantage. *smile* ])
Regards,
Harald
#adBox3 {display:none;}
More information about the Users
mailing list