[Openswan Users] Openswan on Fedora 9

Michael H. Warfield mhw at WittsEnd.com
Mon May 19 20:58:18 EDT 2008

On Mon, 2008-05-19 at 17:02 -0400, Paul Wouters wrote:
> On Sun, 18 May 2008, Michael H. Warfield wrote:
> > > I found some interesting things. Upgrade to Fedora 9 rewritten
> > > the /etc/ipsec.conf file. But after restoring it still does not accept
> > > connections containing defaultorute in any left, right, or any nexthop even
> > > when the interfaces=%defaultroute is in the setup section.
> >
> > > What could be the problem?
> >
> > 	Not sure about your problem or with %defaultroute but that's not the
> > only problem, I haven't been able to get it to work either and it caused
> > some serious breakage after upgrading some systems.  I had to pull it
> > out entirely and downgrade to 2.4.9 from Fedora 8 (I'll trying building
> > a 2.4.12 rpm later).
> >
> > 	My problem is in X.509 cert handling.  The problem looks like it's not
> > handling cert DNs as the Main ID.

> You are caught by the "refine connection" bug. Try adding rightca=%any

	No joy.  Symptoms not affected at all.  Still got the wrong main mode
id and still no connections.

> Please also add oe=off in "config setup".

	Tried that too.

> Paul

	I looked further and it seems I was wrong when I thought everything was
working when I specified the certificate subject.  It looks like pluto
is completing negotiations but then none of the routes appear on the
2.6.09 side and I can't ping from the 2.4.9 side (where the routes did

	I don't have a spot, right now, where I can test 2.6.09 to 2.6.09.
I've had to drop all my production tunnels back to 2.4.9 to 2.4.9 and
I've only got two backup / test 2.6.09 servers attempting tunnels to two
operational 2.4.9 servers. 

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20080519/f31f565c/attachment.bin 

More information about the Users mailing list