[Openswan Users] Openswan as modecfgserver?

Michael Richardson mcr at sandelman.ca
Wed Sep 9 15:27:52 EDT 2009

Hash: SHA1

>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
    >> It seems I can not make openswan to work with clients as a MODECFG
    >> server. Is it supposed to work?

    Paul> Yes. we have testcases for it in testing/pluto/xauth*/*

    >> | p15 state object #1 found, in STATE_MODE_CFG_R1
    >> | processing connection road-warrior-host[1]
    >> | last Phase 1 IV:~ d8 3b 77 2d~ d6 49 fe 81
    >> | current Phase 1 IV:~ e4 46 51 94~ 73 5e 2b 22
    >> | computed Phase 2 IV:
    >> |~~ 13 5b bf cc~ e6 30 7a 93~ a5 69 37 61~ 1c 1d 10 1b
    >> "road-warrior-host"[1] #1: received MODECFG
    >> message when in state S
    >> TATE_MODE_CFG_R1, and we aren't xauth client
    >> | * processed 0 messages from cryptographic helpers
    >> ~
    >> A couple of questions:
    >> ~
    >> 1. Why the server tried to push IP settings? Shouldn't it wait for the
    >> client to pull? What if the client side does not have modecfg set? How
    >> can I stop that from happening on the server side?

    Paul> I am not sure.

a) modecfg was never standardized in IKEv1, so it's hard to say what is

b) having said that, the document says that the server pushes, I think.
   (the server knows the policy, not the client afterall)

c) Cisco clients and access servers do the opposite though.

There is a POLICY_MODECFG_PULL option, which you write as:

    >> 2. Why the internal IP4 address the server tried to push is the
    >> public IP 
    >> address of the remote peer instead of an 'internal' one?

I do not recall where the list of IP addresses to configure comes from.
Someone was going to write a proper interface to radius to get it all
done properly/sanely.   I think that without using pools, it just pushes
the "subnet" (usually /32) which the gateway's policy is configured for.

    >> 3. Does openswan support the idea of virtual adaptor? I thought the
    >> remote must be in a different subnet, but modecfg seems to allow the
    >> remote to join the local network.

We don't care.
We already have a virtual adaptor called ipsec0.

    >> 4. I couldn't find anything from the document about how to fine control
    >> what is pushed to the client. Can I only push DNS stuff and avoid passing
    >> IP settings?

You would have to write some code to configure this, I think.
In general, in the client pull situation, the server only answers what
the client asked for.

    >> 5. What~kind of changes I need to do to~make modecfg to work with two
    >> openswan boxes?

    Paul> Perhaps Michael can answer these questions beter then me. Though have
    Paul> a look at the testcase configurations and see if those provide
    Paul> further 
    Paul> information.

It certainly has worked. 
I don't know if the current release passes the xauth-* pluto test
cases.  The test cases are also detailed examples.

- -- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Finger me for keys


More information about the Users mailing list