IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] x509 Certs AND PSKs for Road Warriors

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Mon Jul 22 2002 - 10:11:45 CEST

When a road warrior initiates a connection, Pluto doesn't know
anything about the peer. Using the function find_host_connection()
in connections.c it therefore searches its list of connections
for %any entries and takes the first one it finds as a tentative
connection description. The connection is refined only after the
peer's ID is received in message #5 of the ISAKMP Main Mode exchange.

Unfortunately the desired authentication method currently does not
go into the selection of the tentative connection. So in your case
the road warrior wants PSK but the connection selected by chance has
been configured for RSA signatures and the negotiation fails.

In order to solve your problem, the method how the first
connection is selected would have to be refined by taking
into account the desired authentication method.

Regards

Andreas

James Harrison wrote:
> All,
>
> I posted this last week and still don't have an answer so I'm trying
> again.
>
> I am having trouble creating a config that will allow PSKs AND
> certificates for Road Warriors.
>
> I have some Safenet clients behind NAT'd firewalls(Linksys,etc.) and I
> have them working OK with certificates.
>
> I also have some Linksys VPN41 routers that I'm terminating into FS with
> PSK's. They also work flawlessly.
>
> My problem is that when I setup a config with a connection definitions
> like(combining the two):
>
> conn cert
> authby=rsasig
> leftcert=freeswancert.pem
> leftsubnet=xxx.xxx.xxx.0/20
> right=%any
> rightsubnetwithin=192.168.26.0/24
> leftrsasigkey=%cert
> rightrsasigkey=%cert
>
>
> conn shared
> leftsubnet=xxx.xxx.xxx.0/24
> rightsubnet=192.168.32.0/24
> authby=secret
> right=%any
>
>
> It seems pluto can't distinguish between the two. I get log entries
> like:
>
> "cert"[67] 66.20.108.131 #68: no acceptable Oakley Transform
> Jul 18 16:09:56 localhost pluto[4249]: "cert"[67] 66.20.108.131:
> deleting connection "cert" instance with peer 66.20.108.131
> Jul 18 16:10:00 localhost pluto[4249]: "cert"[68] 66.20.108.131 #69:
> responding to Main Mode from unknown peer 66.20.108.131
> Jul 18 16:10:00 localhost pluto[4249]: "cert"[68] 66.20.108.131 #69:
> policy does not allow OAKLEY_PRESHARED_KEY authentication. Attribute
> OAKLEY_AUTHENTICATION_METHOD
> Jul 18 16:10:00 localhost pluto[4249]: "cert"[68] 66.20.108.131 #69:
> OAKLEY_DES_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
>
> My ipsec.secrets resembles:
>
> : RSA rw1_key.pem "passphrase"
> : RSA rw2_key.pem "passphrase"
> : RSA freeswankey.pem "passphrase"
> xxx.xxx.xxx.10 %any: PSK "the preshared key"
>
>
>
> Is this setup possible? Or do I have to have one FS box with PSK's and
> one FS box with certificates.
>
> Do I need a %any and a 0.0.0.0 entry in config and secrets to
> distinguish the two(I tried this and it didn't work).
>
> Please help. I'm hoping to move away from a proprietary VPN
> concentrator and replace it with FS.
>
> Thanks

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:25 CEST