Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.freeswan.org > design > 03 > 020110.html (Request Expert lists.freeswan.org Support)

Re: [Design] Re: [Users] multiple ipsec.secrets entries

From: Paul Wouters <paul(at)xtdnet.nl>
Date: Wed Feb 26 2003 - 10:40:23 EST


On Wed, 26 Feb 2003, Paul Wouters wrote:

Doing a followup on my own ramblings:  

> However, I believe that scheme is no longer properly functioning, though

Adding a @FQDN to the normal secret works in that OE connections work again, so changing:

: RSA { to:

@plaything.xtdnet.nl: RSA {

Fixes that, but still causes the wrong things for the x509, which seems to be fighting with the OE conn: 

Feb 26 16:23:22 plaything pluto[16270]: packet from 159.18.124.34:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Feb 26 16:23:22 plaything pluto[16270]: packet from 159.18.124.34:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Feb 26 16:23:22 plaything pluto[16270]: packet from 159.18.124.34:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Feb 26 16:23:22 plaything pluto[16270]: "roadwarrior"[1] 159.18.124.34 #13: responding to Main Mode from unknown peer 159.18.124.34
Feb 26 16:23:22 plaything pluto[16270]: "roadwarrior"[1] 159.18.124.34 #13: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Feb 26 16:23:22 plaything pluto[16270]: "roadwarrior"[1] 159.18.124.34 #13: Peer ID is ID_DER_ASN1_DN: 'C=CA, L=Toronto, O=Freeswan Project, CN=laptop.freeswan.ca, E=kenb@freeswan.ca'
Feb 26 16:23:22 plaything pluto[16270]: "eth0_2-to-anyone"[1] 193.110.157.14/32=== ...159.18.124.34===? #13: deleting connection "roadwarrior" instance with peer 159.18.124.34
Feb 26 16:23:22 plaything pluto[16270]: | NAT-T: new mapping 159.18.124.34:500/4500)
Feb 26 16:23:22 plaything pluto[16270]: "eth0_2-to-anyone"[1] 193.110.157.14/32=== ...159.18.124.34===? #13: sent MR3, ISAKMP SA established
Feb 26 16:23:23 plaything pluto[16270]: "eth0_2-to-anyone"[1] 193.110.157.14/32=== ...159.18.124.34===? #13: Informational Exchange message for an established ISAKMP SA must be encrypted
Feb 26 16:23:33 plaything pluto[16270]: "eth0_2-to-anyone"[1] 193.110.157.14/32=== ...159.18.124.34===? #13: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Feb 26 16:23:33 plaything pluto[16270]: "eth0_2-to-anyone"[1] 193.110.157.14/32=== ...159.18.124.34===? #13: Informational Exchange message for an established ISAKMP SA must be encrypted

Do you need help?X

Feb 26 16:26:07 plaything pluto[16270]: "eth0_2-to-anyone"[1] 193.110.157.14/32=== ...159.18.124.34===?: deleting connection "eth0_2-to-anyone" instance with peer 159.18.124.34

Trying to add the x509 ID in ipsec.secrets seems to die on the space in the O= section: 

Feb 26 16:32:52 plaything pluto[19432]: "/etc/ipsec.secrets" line 1: unknown OID in ID_DER_ASN1_DN "@"C=NL,L=Amsterdam,O=Xtended"
Feb 26 16:32:52 plaything pluto[19432]: "/etc/ipsec.secrets" line 1: unknown OID in ID_DER_ASN1_DN "Internet,CN=plaything.xtdnet.nl,"
Feb 26 16:32:52 plaything pluto[19432]:   loaded private key file '/etc/ipsec.d/private/plaything.xtdnet.nl.key' (951 bytes)
Do you need more help?X

So, I'm still not sure how to combine OE+x509 based connections where leftid='s are different and the connections are being made *at the same time* (active OE initiating on incoming x509 request)

Paul


Design mailing list
Design@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/design Received on Wed Feb 26 11:19:21 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:32 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library