[Swan-commit] Changes to ref refs/heads/master

2015-11-11 Thread Matt Rogers 
New commits:
commit 6d909f1963dfecfcc08f114d6bd555b7fcf9184b
Author: Matt Rogers 
Date:   Wed Nov 11 12:34:56 2015 -0500

Add CAP_DAC_READ_SEARCH to the added capabilities

CAP_DAC_READ_SEARCH was only in the bounding set. Without it
in the added set, pam authentication with a stacked module that
accesses a priviledged socket (i.e pam_sss) will fail.

___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-commit

[Swan-commit] Changes to ref refs/heads/master

2015-11-11 Thread Tuomo Soini 
New commits:
commit 709e2a92d768afc6c78e5a243f0076ddec744c8a
Author: Tuomo Soini 
Date:   Thu Nov 12 08:18:18 2015 +0200

ipsec: custom directory not recognized, github issue #44

___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-commit

[Swan-commit] Changes to ref refs/heads/master

2015-11-11 Thread Tuomo Soini 
New commits:
commit e53f06291598b19d55d668b4e0429efa41a565c5
Author: Tuomo Soini 
Date:   Wed Nov 11 20:42:42 2015 +0200

CHANGES: update for lswbz#248

commit 3c8dc46d53e3e5004b88f30b5ec3d06d5337951c
Author: Wolfgang Nothdurft 
Date:   Wed Nov 11 14:40:03 2015 +0100

pluto: fix keyingtries=0 doesn't try forever

Since the change in 11fbe4b1182a06b6794575405639b9727ffdd23b pluto doesn't 
try forever with keyingtries=%forever (keyingtries=0), because try <= try_limit 
can never match.

Signed-off-by: Tuomo Soini 

___
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-commit

Re: [Swan-dev] regression in 3.16rc1

2015-11-11 Thread Tuomo Soini 
On Wed, 11 Nov 2015 15:19:07 +0100
Wolfgang Nothdurft  wrote:


> Are there any info about that?
> 
> Maybe it has to do with my problem:
> 
> https://bugs.libreswan.org/show_bug.cgi?id=248

Actually it is caused by the problem you found. Or at least your patch
fixes it, Thank you, applied.


-- 
Tuomo Soini 
Foobar Linux services
+358 40 5240030
Foobar Oy 
___
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev

Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

2015-11-11 Thread Tom Robinson 
Hi Matt,

Thanks for your response.

On 12/11/15 01:15, Matt Rogers wrote:
> You should set rightid=%fromcert so it will use the received cert subject
> as the ID here.
> 

I've added rightid=%fromcert to the connection but it still fails as follows:

Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: transition 
from state
STATE_IKEv2_START to state STATE_PARENT_R1
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: 
STATE_PARENT_R1: received v2I1,
sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=sha 
group=MODP1024}
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: new NAT 
mapping for #3330, was
165.228.94.4:500, now 165.228.94.4:4500
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: 
non-critical payload ignored
because it contains an unknown or unexpected payload type (ISAKMP_NEXT_v2CP) at 
the outermost level
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: IKEv2 mode 
peer ID is
ID_DER_ASN1_DN: 'C=AU, ST=Victoria, O=MoTeC Pty Ltd, OU=R, CN=Thomas Robinson,
E=thomas.robin...@motec.com.au'
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no crl from 
issuer "C=AU,
ST=Victoria, L=Melbourne, O=MoTeC Pty Ltd, OU=R, CN=MoTeC CA, 
E=shaun.fiel...@motec.com.au" found
(strict=no)
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: no RSA 
public key known for
'%fromcert'
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4 #3330: RSA 
authentication failed
Nov 12 08:15:38 fw2 pluto[26342]: | ikev2_parent_inI2outR2_tail returned 
STF_FATAL
Nov 12 08:15:38 fw2 pluto[26342]: "ikev2-cp"[1] 165.228.94.4: deleting 
connection "ikev2-cp"
instance with peer 165.228.94.4 {isakmp=#0/ipsec=#0}

Do I need to add all the keys for issued roadwarrior certificates on the server?

Kind regards,
Tom

-- 

Tom Robinson
IT Manager/System Administrator

MoTeC Pty Ltd

121 Merrindale Drive
Croydon South
3136 Victoria
Australia

T: +61 3 9761 5050
F: +61 3 9761 5051
E: tom.robin...@motec.com.au



signature.asc
Description: OpenPGP digital signature
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan