[Openswan Users] Upgrade 2.4.14 -> 2.6.21 Problem with secrets

Nick Howitt n1ck.h0w1tt at gmail.com
Tue Jun 23 13:34:44 EDT 2009 

Paul,

I've tested again changing USE_DYNAMICDNS?= back to false and it made no 
difference. It still uses the first secret.

I've had to downgrade back to 2.4.14 (soon to be .15!) in order to keep 
the two tunnels up.

Regards,

Nick

On 22/06/2009 21:27, Paul Wouters wrote:
> On Mon, 22 Jun 2009, Nick Howitt wrote:
>
>> I have just upgraded from 2.4.14 to 2.6.21 and I've hit an issue with
>> ipsec.secrets.
>
> There should not be any differences there...
>
>>     leftnexthop=%defaultroute
>>     keylife=28800s     # (2.6.x only)                # salifetime and
>> lifetime do not work as aliases
>>     ikelifetime=28800s    # (2.6.x only)
>
> I am confused how that does not work, from keywords.c:
>
>     {"keylife",        kv_conn|kv_auto|kv_alias, kt_time,   
> KBF_SALIFETIME,NOT_ENUM},
>     {"lifetime",       kv_conn|kv_auto|kv_alias, kt_time,   
> KBF_SALIFETIME,NOT_ENUM},
>     {"salifetime",     kv_conn|kv_auto, kt_time,   
> KBF_SALIFETIME,NOT_ENUM},
>     {"ikelifetime",    kv_conn|kv_auto, kt_time,   
> KBF_IKELIFETIME,NOT_ENUM},
>
> Can you explain what "does not work" about those keywords?
>
>> and ipsec.secrets
>> %any : PSK "DialInSecret"
>> my.FQDN MumOut.FQDN : PSK "MumOutRouter'sSecret"
>>
>> This worked absolutely fine in 2.4.14. I have compiled 2.6.21 with
>> USE_DYNAMICDNS?=true and it no longer works.
>
> You can try and reverse the two entries, making the most specific one
> match first. David has a patch that should allow better picking with %any
> in the secrets, and I'll see about applying that shortly.
>
>> The documentation says the best match is used so for conn MumOut it
>> should pick up the second secret. In this scenario I cannot connect to
>> MumOut. If I switch the lines round in ipsec.secrets, I get the same
>> message and conn Mark is never able to establish with the following 
>> message:
>
> Hmm, so much for that idea then...
>
>> I do not even see how conn Mark should be matching "my.FQDN MumOut.FQDN
>> : PSK "MumOutRouter'sSecret" as MumOut.FQDN resolves to a completely
>> different IP address to the one which is initiating the connection.
>
> Note that secrets are read on startup.
>
> bug me in a few days if you have not seen me picking this up.
>
> Paul

More information about the Users mailing list