[Openswan Users] RSA and RSA with XAUTH at the same machine?

harald.meyer7 at freenet.de harald.meyer7 at freenet.de
Mon Dec 15 16:35:13 EST 2008


Hi Paul!

Thanks for sharing my problem!

> > If you have several RSASIG (without xauth) conn entries in your
> ipsec.conf,
> > the first one (denpends on order of adding) welcomes the road warrior
> > in IKE phase 1.
> 
> No. Pluto cannot distinguish which of your conns is being picked because
> all of their phase 1's are identical, so it just picks one. It later on
> switches to the proper conn when it gets information that is different in
> the phase 2.

Ah, ok, sounds more precise. (I'd thougt that switching process to
the proper conn is in phase 1, already.)


> > Within this conn section the road warriors identity/cert is checked, and
> > only then it will be switched to the matching conn section - but too
> late:
> > the xauth road warrior is declined at this point already. (See snippets
> > below.)
> 
> This might be the problem. We'll have to add a testcase for it and see
> if we can reproduce it.

Sounds like my requirement is really a problem, not a config issue. Huuu,
I'm not happy... Leads to a Linux update orgy, I suppose... (If someone is
able to correct this disadvantageous property.)


> You might be able to work around it using aggressive mode on the xauth
> connection.

I'm not sure if I understand you.

i. Aggressive Mode is better known als MITM Mode, I think. Am I right?
Agg. M. perhaps only works with PSKs?

ii. Isn't there the same problem: no combination of RSASIG/Main Mode and
Aggressive Mode at the same box? (And I'm not able to do without RSASIG/
Main Mode road warriors.)


(OMG, what a waste of time! And just for playing with iPhone... [Nobody has
an advantage. *smile* ])


Regards,
     Harald








#adBox3 {display:none;}





More information about the Users mailing list