[Openswan Users] Openswan on Fedora 9
Michael H. Warfield
mhw at WittsEnd.com
Mon May 19 20:58:18 EDT 2008
On Mon, 2008-05-19 at 17:02 -0400, Paul Wouters wrote:
> On Sun, 18 May 2008, Michael H. Warfield wrote:
>
> > > I found some interesting things. Upgrade to Fedora 9 rewritten
> > > the /etc/ipsec.conf file. But after restoring it still does not accept
> > > connections containing defaultorute in any left, right, or any nexthop even
> > > when the interfaces=%defaultroute is in the setup section.
> >
> > > What could be the problem?
> >
> > Not sure about your problem or with %defaultroute but that's not the
> > only problem, I haven't been able to get it to work either and it caused
> > some serious breakage after upgrading some systems. I had to pull it
> > out entirely and downgrade to 2.4.9 from Fedora 8 (I'll trying building
> > a 2.4.12 rpm later).
> >
> > My problem is in X.509 cert handling. The problem looks like it's not
> > handling cert DNs as the Main ID.
> You are caught by the "refine connection" bug. Try adding rightca=%any
No joy. Symptoms not affected at all. Still got the wrong main mode
id and still no connections.
> Please also add oe=off in "config setup".
Tried that too.
> Paul
I looked further and it seems I was wrong when I thought everything was
working when I specified the certificate subject. It looks like pluto
is completing negotiations but then none of the routes appear on the
2.6.09 side and I can't ping from the 2.4.9 side (where the routes did
appear).
I don't have a spot, right now, where I can test 2.6.09 to 2.6.09.
I've had to drop all my production tunnels back to 2.4.9 to 2.4.9 and
I've only got two backup / test 2.6.09 servers attempting tunnels to two
operational 2.4.9 servers.
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20080519/f31f565c/attachment.bin
More information about the Users
mailing list