[Openswan Users] Openswan on Fedora 9

Michael H. Warfield mhw at WittsEnd.com
Mon Jun 9 11:54:34 EDT 2008 

On Mon, 2008-05-19 at 17:02 -0400, Paul Wouters wrote:
> On Sun, 18 May 2008, Michael H. Warfield wrote:
> 
> > > I found some interesting things. Upgrade to Fedora 9 rewritten
> > > the /etc/ipsec.conf file. But after restoring it still does not accept
> > > connections containing defaultorute in any left, right, or any nexthop even
> > > when the interfaces=%defaultroute is in the setup section.
> >
> > > What could be the problem?
> >
> > 	Not sure about your problem or with %defaultroute but that's not the
> > only problem, I haven't been able to get it to work either and it caused
> > some serious breakage after upgrading some systems.  I had to pull it
> > out entirely and downgrade to 2.4.9 from Fedora 8 (I'll trying building
> > a 2.4.12 rpm later).
> >
> > 	My problem is in X.509 cert handling.  The problem looks like it's not
> > handling cert DNs as the Main ID.

> You are caught by the "refine connection" bug. Try adding rightca=%any

> Please also add oe=off in "config setup".

	Looks like 2.6.14 solved this problem (2.6.13 did NOT).  I had to build
the rpm's on a Fedora 8 system and then install them on the Fedora 9
system due to the rpmbuild problems reported in another message.

	I do see a couple of syslog messages that say to report this:

Jun  9 11:41:14 kolvir pluto[1240]: "remus" #2: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jun  9 11:41:14 kolvir pluto[1240]: "remus" #2: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
Jun  9 11:41:14 kolvir pluto[1240]: "remus" #2: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_ar in duplicate_state, please report to dev at openswan.org
Jun  9 11:41:14 kolvir pluto[1240]: "remus" #2: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_er in duplicate_state, please report to dev at openswan.org
Jun  9 11:41:14 kolvir pluto[1240]: "remus" #2: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pi in duplicate_state, please report to dev at openswan.org
Jun  9 11:41:14 kolvir pluto[1240]: "remus" #2: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pr in duplicate_state, please report to dev at openswan.org
Jun  9 11:41:14 kolvir pluto[1240]: "remus" #4: initiating Quick Mode RSASIG+ENCRYPT+PFS+DONTREKEY+UP+IKEv2ALLOW {using isakmp#2 msgid:105aac72 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jun  9 11:41:14 kolvir pluto[1240]: "remus" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2

	Seems to be working, though.  Continuing to test.

> Paul

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20080609/0f2a2f16/attachment.bin

More information about the Users mailing list