[Openswan Users] Openswan on Fedora 9
Michael H. Warfield
mhw at WittsEnd.com
Sun May 18 13:48:07 EDT 2008
On Fri, 2008-05-16 at 19:02 +0200, Marek Greško wrote:
> Dňa Pi 16. Máj 2008 Marek Greško napísal:
> > Hello,
> >
> > did anybody get openswan on Fedora 9 working? I have configuration which
> > worked on previous versions of Fedora, but after upgrade to Fedora 9 no
> > tunnel is establised. It is not even tried to be established, no ESP is
> > done.
> >
> > M.
> I found some interesting things. Upgrade to Fedora 9 rewritten
> the /etc/ipsec.conf file. But after restoring it still does not accept
> connections containing defaultorute in any left, right, or any nexthop even
> when the interfaces=%defaultroute is in the setup section.
> What could be the problem?
Not sure about your problem or with %defaultroute but that's not the
only problem, I haven't been able to get it to work either and it caused
some serious breakage after upgrading some systems. I had to pull it
out entirely and downgrade to 2.4.9 from Fedora 8 (I'll trying building
a 2.4.12 rpm later).
My problem is in X.509 cert handling. The problem looks like it's not
handling cert DNs as the Main ID.
Here's what I see from a working connection from another 2.4.9 system
(this is on one of the systems I downgraded back to 2.4.9):
May 18 14:02:50 banshee pluto[8640]: "remus-0" #6: Main mode peer ID is
ID_DER_ASN1_DN: 'C=US, ST=Georgia, L=Lilburn, O=Thaumaturgy & Speculums
Technology, CN=remus.wittsend.com, E=postmaster at wittsend.com'
May 18 14:02:50 banshee pluto[8640]: "remus-0" #6: no crl from issuer
"C=US, ST=Georgia, L=Lilburn, O=Thaumaturgy & Speculums Technology,
OU=Certification Services, CN=WittsEnd Root CA, E=ca at wittsend.com" found
(strict=no)
May 18 14:02:50 banshee pluto[8640]: "remus-0" #6: I am sending my cert
May 18 14:02:50 banshee pluto[8640]: "remus-0" #6: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
May 18 14:02:50 banshee pluto[8640]: "remus-0" #6: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Here's what I get from the broken 2.6.09 system:
May 18 14:04:02 banshee pluto[8640]: "kolvir-0" #13: Main mode peer ID
is ID_IPV4_ADDR: '209.134.176.84'
May 18 14:04:02 banshee pluto[8640]: "kolvir-0" #13: no crl from issuer
"C=US, ST=Georgia, L=Atlanta, O=Internet Security Systems Inc,
OU=Certification Services, E=ca at iss.net" found (strict=no)
May 18 14:04:02 banshee pluto[8640]: "kolvir-0" #13: no suitable
connection for peer '209.134.176.84'
In both cases, I'm using X.509 certs but I'm not being presented with
the cert DN as the "Main mode peer ID" and then it can't find a matching
connection in the configs.
> M.
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20080518/151d6f9b/attachment.bin
More information about the Users
mailing list