[Openswan Users] pluto assertion
Brad Johnson
bjohnson at astrocorp.com
Mon Oct 13 11:40:58 EDT 2008
Has anyone else seen this? I try to connect using certificates with the
responder having a rightid containing wild cards and pluto crashes with
the following syslog message:
Oct 13 10:27:48 PowerLink pluto[1837]: "server" #2: ASSERTION FAILED at
kernel.c:2237: c->kind == CK_PERMANENT || c->kind == CK_INSTANCE
This happened originally on OpenSwan version 2.4.9, but I just tried it
on 2.6.14 and I get the same result.
Here is my initiator configuration:
conn peer-peer
left=192.168.2.204
leftnexthop=192.168.2.192
auto=add
right=192.168.10.2
rightsubnet=192.168.5.0/24
rightid="/C=US/ST=MN/O=Astrocom/OU=Engineering/CN=server"
keyingtries=2
aggrmode=no
pfs=no
ikelifetime=8h
auth=esp
authby=rsasig
leftcert=/etc/ipsec/ipsec.d/certs/ralph.pem
leftrsasigkey=%cert
rightrsasigkey=%cert
dpddelay=30
dpdtimeout=60
dpdaction=restart
Here is the responder side (note the rightid wildcard):
conn server
left=192.168.10.2
leftnexthop=192.168.10.10
auto=add
leftsubnet=192.168.5.0/24
right=192.168.2.204
rightid="/C=US/ST=MN/O=Astrocom/OU=Engineering/CN=*"
keyingtries=2
aggrmode=no
pfs=no
ikelifetime=8h
auth=esp
authby=rsasig
leftcert=/etc/ipsec/ipsec.d/certs/server.pem
leftrsasigkey=%cert
rightrsasigkey=%cert
dpddelay=30
dpdtimeout=60
dpdaction=restart
This works fine if I remove the "right=192.168.2.204" from the responder
side. So apparently wildcards are illegal in a non-roadwarrior type of
configuration?
Thanks,
Brad Johnson
More information about the Users
mailing list