[Openswan Users] Establishing a VPN connection using certificates, --id <IP Address> vs --id <DN>
Marcos Hacker
mfhacker at hotmail.com
Mon Jun 1 09:30:53 EDT 2009
I started a new thread since this is a separate issue. Originally I had posted a problem trying to OpenSWAN 2.6.19 to a Netgear FVS338.
In the original scenario, if I copied the end certificate from the Netgear (right) to our Linux machine (left) and specified a rightid = <IPAddress of Netgear FVS338>, rightcert = <certfile.pem> then the connection would establish (Phase 1 IKE and Phase 2 IPSec). If the right's end certificate was not loaded on the left, we'd see a "no RSA public key known for '130.168.1.2'" error.
Ths issue seems to be using an ID of type ID_IPV4_ADDR. If we try the same connection using an ID of type ID_DER_ASN1_DN (specified on the Netgear/right) and specify rightid = DN, the connection establishes as expected without having the right's end certificate loaded on the left.
In other words, when the Netgear identifies itself with it's WAN IP Address, OpenSWAN cannot seem to find the public key unless that key is loaded locally and specified directly. If the Netgear identifies itself with it's DN, then no public key needs to be loaded locally, but the id field does still need to know about the DN of the Netgear (right).
We've noticed (by adding numerous lines of debug) in the successfully connected case, the Connection_Type(SPD of remote host -RIGHT) and the Key_type (Public Key saved off locally -LEFT) are of the same type. This type is ID_DER_ASN1_DN.
In the failure case (where the remote -RIGHT sends back the id of IP Address instead of DN), the Connection_Type is set to ID_IPv4_ADDR and the Key_Type is still set to ID_DER_ASN1_DN. When the same_id() function is called, a check that the two 'kinds' are the same. If not, return failure.
The add_x509_public_key function is always adding in the key.id.kind as type ID_DER_ASN1_DN. I believe that the connection type is varying from machine to machine, depending on settings (ie IP Address Type or DN Type), however the key is always being added as ID_DER_ASN1_DN type. This makes the same_id function fail out.
I would like to comment out the following code in an attempt to get OpenSWAN to continue on and connect with an ID type of <IP Address>.
Within /lib/libopenswan/id.c::same_id(const struct id *a, const struct id *b), this if statement checks ID Type of pointer a and pointer b.
if (a->kind != b->kind)
return FALSE;
I do not know the repercussions of this code change within the OpenSWAN architecture.
marcos
_________________________________________________________________
Hotmail® goes with you.
http://windowslive.com/Tutorial/Hotmail/Mobile?ocid=TXT_TAGLM_WL_HM_Tutorial_Mobile1_052009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090601/8b24980c/attachment.html
More information about the Users
mailing list