Hi Paul,
this config is not supposed to send the cert DN as id correct?
conn me---you
authby=rsasig
ike=aes128-sha1-modp1536
phase2alg=aes128-sha1;modp1536
dpdaction=clear
dpddelay=30
dpdtimeout=300
left=%defaultroute
leftcert=me.pem
right=X.X.X.X
rightsubnet=Y.Y.Y.Y/24
rightid="C=AT, ST=Vienna, L=Vienna, O=Company, OU=IT, CN=you"
auto=add
ipsec auto --up me---you
104 "me---you" #3: STATE_MAIN_I1: initiate
003 "me---you" #3: received Vendor ID payload [RFC 3947] method set to=109
003 "me---you" #3: received Vendor ID payload [Dead Peer Detection]
106 "me---you" #3: STATE_MAIN_I2: sent MI2, expecting MR2
003 "me---you" #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am
NATed
108 "me---you" #3: STATE_MAIN_I3: sent MI3, expecting MR3
004 "me---you" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_128 prf=oakley_sha group=modp1536}
117 "me---you" #4: STATE_QUICK_I1: initiate
004 "me---you" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x08bf5b3b <0x0616cd17 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none
DPD=enabled}
But:
Jun 28 19:42:06 me pluto[1573]: "me---you" #3: NAT-Traversal: Result using RFC
3947 (NAT-Traversal): i am NATed
Jun 28 19:42:06 me pluto[1573]: | ***emit ISAKMP Identification Payload (IPsec
DOI):
Jun 28 19:42:06 me pluto[1573]: | next payload type: ISAKMP_NEXT_CERT
Jun 28 19:42:06 me pluto[1573]: | ID type: ID_DER_ASN1_DN
Jun 28 19:42:06 me pluto[1573]: | Protocol ID: 0
Jun 28 19:42:06 me pluto[1573]: | port: 0
Jun 28 19:42:06 me pluto[1573]: | emitting 95 raw bytes of my identity into
ISAKMP Identification Payload (IPsec DOI)
dpkg --list openswan
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version
Description
+++-=====================================================-=====================================================-==========================================================================================================================
ii openswan 1:2.6.27+dfsg-1
Internet Key Exchange daemon
At least according to the manpage we should send the IP as identification...
Harald
On Mon, Jun 28, 2010 at 01:05:56PM -0400, Paul Wouters wrote:
> On Mon, 28 Jun 2010, Rene Mayrhofer wrote:
>
> >On Monday 28 June 2010 07:51:07 Harald Jenny wrote:
> >>Sorry Paul but I don't think the currect behaviour is correct - there is no
> >>indication for the user why *id is ignored and this is not good :-(.
> >I would tend to agree with that...
>
> On 2.6, it should have a leftid=%fromcert
>
> This change was made because in 2.4 it ALWAYS took the id from cert, and you
> could
> not override it. Now it takes the id from leftid= but you have to tell it to
> pick
> it up from the cert.
>
> But imho, this has nothing to do with this "bug". If you have a conn with a
> broken
> leftcert= pointing to a non-existing file, it can't work. It cannot grab the
> id from
> the cert since the cert is not there. I still dont understand how that could
> ever "work"
> on 2.4.
>
> I am getting increasingly frustrated with this. It needs a much better
> explanation of
> how it can "work". And "work" should be more then "loads the conn that has no
> chance of
> ever working"
>
> Paul
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
