[Openswan Users] Openswan on Fedora 9

Michael H. Warfield mhw at WittsEnd.com
Sun May 18 17:15:04 EDT 2008 

Some progress on my problem.

On Sun, 2008-05-18 at 13:48 -0400, Michael H. Warfield wrote:
> On Fri, 2008-05-16 at 19:02 +0200, Marek Greško wrote:
> > Dňa Pi 16. Máj 2008 Marek Greško napísal:
> > > Hello,
> > >
> > > did anybody get openswan on Fedora 9 working? I have configuration which
> > > worked on previous versions of Fedora, but after upgrade to Fedora 9 no
> > > tunnel is establised. It is not even tried to be established, no ESP is
> > > done.
> > >
> > > M.
> 
> > I found some interesting things. Upgrade to Fedora 9 rewritten 
> > the /etc/ipsec.conf file. But after restoring it still does not accept 
> > connections containing defaultorute in any left, right, or any nexthop even 
> > when the interfaces=%defaultroute is in the setup section.
> 
> > What could be the problem?
> 
> 	Not sure about your problem or with %defaultroute but that's not the
> only problem, I haven't been able to get it to work either and it caused
> some serious breakage after upgrading some systems.  I had to pull it
> out entirely and downgrade to 2.4.9 from Fedora 8 (I'll trying building
> a 2.4.12 rpm later).
> 
> 	My problem is in X.509 cert handling.  The problem looks like it's not
> handling cert DNs as the Main ID.
> 
> 	Here's what I see from a working connection from another 2.4.9 system
> (this is on one of the systems I downgraded back to 2.4.9):
> 
> May 18 14:02:50 banshee pluto[8640]: "remus-0" #6: Main mode peer ID is
> ID_DER_ASN1_DN: 'C=US, ST=Georgia, L=Lilburn, O=Thaumaturgy & Speculums
> Technology, CN=remus.wittsend.com, E=postmaster at wittsend.com'
> May 18 14:02:50 banshee pluto[8640]: "remus-0" #6: no crl from issuer
> "C=US, ST=Georgia, L=Lilburn, O=Thaumaturgy & Speculums Technology,
> OU=Certification Services, CN=WittsEnd Root CA, E=ca at wittsend.com" found
> (strict=no)
> May 18 14:02:50 banshee pluto[8640]: "remus-0" #6: I am sending my cert
> May 18 14:02:50 banshee pluto[8640]: "remus-0" #6: transition from state
> STATE_MAIN_R2 to state STATE_MAIN_R3
> May 18 14:02:50 banshee pluto[8640]: "remus-0" #6: STATE_MAIN_R3: sent
> MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
> cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
> 
> 	Here's what I get from the broken 2.6.09 system:
> 
> May 18 14:04:02 banshee pluto[8640]: "kolvir-0" #13: Main mode peer ID
> is ID_IPV4_ADDR: '209.134.176.84'
> May 18 14:04:02 banshee pluto[8640]: "kolvir-0" #13: no crl from issuer
> "C=US, ST=Georgia, L=Atlanta, O=Internet Security Systems Inc,
> OU=Certification Services, E=ca at iss.net" found (strict=no)
> May 18 14:04:02 banshee pluto[8640]: "kolvir-0" #13: no suitable
> connection for peer '209.134.176.84'

	Seems if I explicitly set the leftid="{cert subject}" I then get the
correct Main ID and I get further before blowing chunks...

May 18 17:28:12 banshee pluto[10932]: "kolvir-0" #114: STATE_MAIN_R2:
sent MR2, expecting MI3
May 18 17:28:12 banshee pluto[10932]: "kolvir-0" #114: Main mode peer ID
is ID_DER_ASN1_DN: 'C=GA, ST=Georgia, L=Atlanta, O=Internet Security
Systems Inc, CN=kolvir.iss.net, E=postmaster at iss.net'
May 18 17:28:12 banshee pluto[10932]: "kolvir-0" #114: no crl from
issuer "C=US, ST=Georgia, L=Atlanta, O=Internet Security Systems Inc,
OU=Certification Services, E=ca at iss.net" found (strict=no)
May 18 17:28:12 banshee pluto[10932]: "kolvir-0" #114: I am sending my
cert
May 18 17:28:12 banshee pluto[10932]: "kolvir-0" #114: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
May 18 17:28:12 banshee pluto[10932]: "kolvir-0" #114: STATE_MAIN_R3:
sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128
prf=oakley_sha group=modp2048}
May 18 17:28:12 banshee pluto[10932]: "kolvir-0" #114: next payload type
of ISAKMP Hash Payload has an unknown value: 163
May 18 17:28:12 banshee pluto[10932]: "kolvir-0" #114: malformed payload
in packet
May 18 17:28:12 banshee pluto[10932]: | payload malformed after IV
May 18 17:28:12 banshee pluto[10932]: |   ad 3e 6d 86  eb 83 f6 1c  80
26 f9 99  50 5b 06 78
May 18 17:28:12 banshee pluto[10932]: "kolvir-0" #114: sending
notification PAYLOAD_MALFORMED to 209.134.176.84:4500

	That still didn't work but then I discovered an error on the other side
(the 2.6 side) indicating it was requiring an ID of an IP address for
the 2.4 side.  So, on the 2.6 system, I explicitly set the leftid equal
to the local cert subject and the rightid equal to the remote cert
subject.  That seems to have finally made the connection.

	I didn't have to set the left/right id in 2.4 like this.  Is this a
policy change in 2.6 that the ID always defaults to the IP address and
you have to explicitly set the id to be the cert subject in order to
operate that way?

> 	In both cases, I'm using X.509 certs but I'm not being presented with
> the cert DN as the "Main mode peer ID" and then it can't find a matching
> connection in the configs.
> 
> > M.

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20080518/68c38b06/attachment.bin

More information about the Users mailing list