I think your "feature request" should be directed to D. Hugh
Redelmeier, the maintainer of the Pluto daemon. Simultaneous support
of both PSK and RSA based road warriors is not a X.509 specific feature
and should therefore go into the FreeS/WAN main version.
Regards
Andreas
James Harrison wrote:
> Andreas,
>
> Ok, as I am a user and not a developer is there a technical reason in
> the IPSec rfc why this feature/capability is not included and/or cannot
> be done in FS? Shouldn't it be possible to look through the connection
> list for %any AND RSASIG(Cert) as well as %any AND PSK connection
> definitions and proceed from there? Is the authentication request
> type(RSA vs PSK) available during Main Mode? Or is this only present
> during Phase 2. (I'm just asking so as to educate myself)
>
> Is this an item to be put in as a "feature request? If so is there some
> place to submit a feature request?
>
> As I understand your message I would need to use one box for
> certificates and one box for PSK authentication. Correct?
>
> Thanks for your time and help!
>
>Andreas Steffen wrote:
>> When a road warrior initiates a connection, Pluto doesn't know
>> anything about the peer. Using the function find_host_connection()
>> in connections.c it therefore searches its list of connections
>> for %any entries and takes the first one it finds as a tentative
>> connection description. The connection is refined only after the
>> peer's ID is received in message #5 of the ISAKMP Main Mode exchange.
>> Unfortunately the desired authentication method currently does not
>> go into the selection of the tentative connection. So in your case
>> the road warrior wants PSK but the connection selected by chance has
>> been configured for RSA signatures and the negotiation fails.
>>
>> In order to solve your problem, the method how the first
>> connection is selected would have to be refined by taking
>> into account the desired authentication method.
>>
>> Regards
>>
>> Andreas
>>
>>James Harrison wrote:
>>> All,
>>>
>>> I posted this last week and still don't have an answer so I'm trying
>>> again.
>>>
>>> I am having trouble creating a config that will allow PSKs AND
>>> certificates for Road Warriors.
>>>
>>> I have some Safenet clients behind NAT'd firewalls(Linksys,etc.) and I
>>> have them working OK with certificates.
>>>
>>> I also have some Linksys VPN41 routers that I'm terminating into FS with
>>> PSK's. They also work flawlessly.
>>>
>>> My problem is that when I setup a config with a connection definitions
>>> like(combining the two):
>>>
>>> conn cert
>>> authby=rsasig
>>> leftcert=freeswancert.pem
>>> leftsubnet=xxx.xxx.xxx.0/20
>>> right=%any
>>> rightsubnetwithin=192.168.26.0/24
>>> leftrsasigkey=%cert
>>> rightrsasigkey=%cert
>>>
>>>
>>> conn shared
>>> leftsubnet=xxx.xxx.xxx.0/24
>>> rightsubnet=192.168.32.0/24
>>> authby=secret
>>> right=%any
>>>
>>>
>>> It seems pluto can't distinguish between the two. I get log entries
>>> like:
>>>
>>> "cert"[67] 66.20.108.131 #68: no acceptable Oakley Transform
>>> Jul 18 16:09:56 localhost pluto[4249]: "cert"[67] 66.20.108.131:
>>> deleting connection "cert" instance with peer 66.20.108.131
>>> Jul 18 16:10:00 localhost pluto[4249]: "cert"[68] 66.20.108.131 #69:
>>> responding to Main Mode from unknown peer 66.20.108.131
>>> Jul 18 16:10:00 localhost pluto[4249]: "cert"[68] 66.20.108.131 #69:
>>> policy does not allow OAKLEY_PRESHARED_KEY authentication. Attribute
>>> OAKLEY_AUTHENTICATION_METHOD
>>> Jul 18 16:10:00 localhost pluto[4249]: "cert"[68] 66.20.108.131 #69:
>>> OAKLEY_DES_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
>>>
>>> My ipsec.secrets resembles:
>>>
>>> : RSA freeswankey.pem "passphrase"
>>>
>>> xxx.xxx.xxx.10 %any: PSK "the preshared key"
>>>
>>> Is this setup possible? Or do I have to have one FS box with PSK's and
>>> one FS box with certificates.
>>>
>>> Please help. I'm hoping to move away from a proprietary VPN
>>> concentrator and replace it with FS.
>>>
>>> Thanks
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:25 CEST