[Design] Re: [Users] multiple ipsec.secrets entries

On Tue, 25 Feb 2003, Road Warrior wrote:

(I have CC:ed this to design@ since I believe this is a design problem)

> I then noticed this on the gateway logs: Feb 25 19:25:32 sparta
> Pluto[24727]: "roadwarrior-net" 206.26.195.236 #6: multiple ipsec.secrets
> entries with distinct secrets match endpoints: first secret used
 

> The other three connections [understandably] could not be made.
>
> How do I work around this?
> Can I have multiple ipsec.secrets entries?
>
> I am using Linux FreeS/WAN 1.96 from debian stable.

Though 1.96 is an old version, I've recently encountered the same problem. You can find some information in the man page for ipsec.secrets, and there it says you can use multiple secrets, and that the "most exact" match for a secret is used.

However, I believe that scheme is no longer properly functioning, though I have yet to pinpoint what causes the failure. I think mixing x509 certificates and RSA keys is what is no longer working properly. The latter is used for Opportunistic Encryption, and in the 2.x series, this connection will be enabled by default (even if the connection is not specified in the ipsec.conf). Therefor, I believe anyone who is going to run X.509 certificates with Freeswan 2.x will run into this problem.

If you just want multiple road warriors to connect to your gateway, each using their own certificate, by far the easiest approach is to use a "certificate agency" that signs all the certificates of your roadwarriors. Then you only need to load the certificate of the CA on the gateway. You can use this together with a revocation list to disallow certain signed certifictes which administratively no longer should be valid, but are still valid technically (as specified in the signature of the ca). A good link on how to accomplish this is:

http://www.natecarlson.com/linux/ipsec-x509.php

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

Perhaps DHR and Stefan can comment on how it might be possible to get X509 and RSA secrets to co-exist in Pluto? And if so, then perhaps Claudia can put this information in the FAQ?

Paul