[Openswan Users] Upgrade 2.4.14 -> 2.6.21 Problem with secrets

Nick Howitt n1ck.h0w1tt at gmail.com
Mon Jun 29 14:11:34 EDT 2009


Hi Paul,

Have you been able to get anywhere with this?

Thanks,

Nick

On 22/06/2009 21:27, Paul Wouters wrote:
> On Mon, 22 Jun 2009, Nick Howitt wrote:
>
>> I have just upgraded from 2.4.14 to 2.6.21 and I've hit an issue with
>> ipsec.secrets.
>
> There should not be any differences there...
>
>>     leftnexthop=%defaultroute
>>     keylife=28800s     # (2.6.x only)                # salifetime and
>> lifetime do not work as aliases
>>     ikelifetime=28800s    # (2.6.x only)
>
> I am confused how that does not work, from keywords.c:
>
>     {"keylife",        kv_conn|kv_auto|kv_alias, kt_time,   
> KBF_SALIFETIME,NOT_ENUM},
>     {"lifetime",       kv_conn|kv_auto|kv_alias, kt_time,   
> KBF_SALIFETIME,NOT_ENUM},
>     {"salifetime",     kv_conn|kv_auto, kt_time,   
> KBF_SALIFETIME,NOT_ENUM},
>     {"ikelifetime",    kv_conn|kv_auto, kt_time,   
> KBF_IKELIFETIME,NOT_ENUM},
>
> Can you explain what "does not work" about those keywords?
>
>> and ipsec.secrets
>> %any : PSK "DialInSecret"
>> my.FQDN MumOut.FQDN : PSK "MumOutRouter'sSecret"
>>
>> This worked absolutely fine in 2.4.14. I have compiled 2.6.21 with
>> USE_DYNAMICDNS?=true and it no longer works.
>
> You can try and reverse the two entries, making the most specific one
> match first. David has a patch that should allow better picking with %any
> in the secrets, and I'll see about applying that shortly.
>
>> The documentation says the best match is used so for conn MumOut it
>> should pick up the second secret. In this scenario I cannot connect to
>> MumOut. If I switch the lines round in ipsec.secrets, I get the same
>> message and conn Mark is never able to establish with the following 
>> message:
>
> Hmm, so much for that idea then...
>
>> I do not even see how conn Mark should be matching "my.FQDN MumOut.FQDN
>> : PSK "MumOutRouter'sSecret" as MumOut.FQDN resolves to a completely
>> different IP address to the one which is initiating the connection.
>
> Note that secrets are read on startup.
>
> bug me in a few days if you have not seen me picking this up.
>
> Paul


More information about the Users mailing list