Bug#359183: Bug still here with 2.4.5-3, it seems

Christian Perrier Thu, 11 May 2006 00:42:05 -0700

With this in ipsec.conf:

version 2.0     # conforms to second version of ipsec.conf specification


config setup
        interfaces="%defaultroute"

conn onera
    left=%defaultroute
    leftrsasigkey=%cert
    leftcert=mykerinos.cer
    leftsendcert=always
    right=144.204.128.1
    rightsubnet=125.1.0.0/16
    rightid="[EMAIL PROTECTED], C=FR, ST=Ile de France, L=CHATILLON, O=ONERA, 
OU=DRIS, CN=144.204.48.1"
    rightxauthserver=yes
    rightmodecfgserver=yes
    auto=start
    keyexchange=ike
    ike=aes256-md5
    esp=aes256-md5

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf



I get this in logs:

May 11 09:22:10 mykerinos pluto[21853]: added connection description "onera"
May 11 09:22:10 mykerinos pluto[21853]: listening for IKE messages
May 11 09:22:10 mykerinos pluto[21853]: adding interface tun0/tun0 10.0.0.2:500
May 11 09:22:10 mykerinos pluto[21853]: adding interface weth_i/weth_i 
144.204.48.104:500
May 11 09:22:10 mykerinos pluto[21853]: adding interface lo/lo 127.0.0.1:500
May 11 09:22:10 mykerinos pluto[21853]: adding interface lo/lo ::1:500
May 11 09:22:10 mykerinos pluto[21853]: loading secrets from 
"/etc/ipsec.secrets"
May 11 09:22:10 mykerinos pluto[21853]:   loaded private key file 
'/etc/ipsec.d/private/cc-mykerinosKey.pem' (1675 bytes)
May 11 09:22:10 mykerinos pluto[21853]:   loaded private key file 
'/etc/ipsec.d/private/mykerinosKey.pem' (1675 bytes)
May 11 09:22:10 mykerinos pluto[21853]: "onera" #1: initiating Main Mode
May 11 09:22:10 mykerinos pluto[21853]: "onera" #1: received Vendor ID payload 
[Dead Peer Detection]
May 11 09:22:10 mykerinos pluto[21853]: "onera" #1: ignoring unknown Vendor ID 
payload [afca071368a1f1c96b8696fc77570100]
May 11 09:22:10 mykerinos pluto[21853]: "onera" #1: ignoring unknown Vendor ID 
payload [1d6e178f6c2c0be284985465450fe9d4]
May 11 09:22:10 mykerinos pluto[21853]: "onera" #1: transition from state 
STATE_MAIN_I1 to state STATE_MAIN_I2
May 11 09:22:10 mykerinos pluto[21853]: "onera" #1: STATE_MAIN_I2: sent MI2, 
expecting MR2
May 11 09:22:10 mykerinos pluto[21853]: "onera" #1: I am sending my cert
May 11 09:22:10 mykerinos pluto[21853]: "onera" #1: I am sending a certificate 
request
May 11 09:22:10 mykerinos pluto[21853]: "onera" #1: transition from state 
STATE_MAIN_I2 to state STATE_MAIN_I3
May 11 09:22:10 mykerinos pluto[21853]: "onera" #1: STATE_MAIN_I3: sent MI3, 
expecting MR3
May 11 09:22:10 mykerinos pluto[21853]: "onera" #1: Main mode peer ID is 
ID_DER_ASN1_DN: '[EMAIL PROTECTED], C=FR, ST=Ile de France, L=CHATILLON, 
O=ONERA, OU=DRIS, CN=144.204.48.1'
May 11 09:22:10 mykerinos pluto[21853]: "onera" #1: no crl from issuer "C=FR, 
ST=92, L=CHATILLON, O=onera, CN=lip6" found (strict=no)
May 11 09:22:10 mykerinos pluto[21853]: "onera" #1: transition from state 
STATE_MAIN_I3 to state STATE_MAIN_I4
May 11 09:22:10 mykerinos pluto[21853]: "onera" #1: STATE_MAIN_I4: ISAKMP SA 
established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_md5 group=modp1024}
May 11 09:22:10 mykerinos pluto[21853]: "onera" #2: initiating Quick Mode 
RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
May 11 09:22:10 mykerinos pluto[21853]: "onera" #1: received MODECFG message 
when in state STATE_MAIN_I4, and we aren't xauth client
May 11 09:22:52 mykerinos last message repeated 3 times


...which seems to clearly say that I should be an xauth client..:-)

Then I change the connection to:

conn onera
    left=%defaultroute
    leftrsasigkey=%cert
    leftcert=mykerinos.cer
    leftsendcert=always
    leftxauthclient=yes
    right=144.204.128.1
    rightsubnet=125.1.0.0/16
    rightid="[EMAIL PROTECTED], C=FR, ST=Ile de France, L=CHATILLON, O=ONERA, 
OU=DRIS, CN=144.204.48.1"
    rightxauthserver=yes
    rightmodecfgserver=yes
    auto=start
    keyexchange=ike
    ike=aes256-md5
    esp=aes256-md5

(notice the only change: add "leftxauthclient")

Which leads to:

May 11 09:28:00 mykerinos pluto[22166]: added connection description "onera"
May 11 09:28:00 mykerinos pluto[22166]: listening for IKE messages
May 11 09:28:01 mykerinos pluto[22166]: adding interface tun0/tun0 10.0.0.2:500
May 11 09:28:01 mykerinos pluto[22166]: adding interface weth_i/weth_i 
144.204.48.104:500
May 11 09:28:01 mykerinos pluto[22166]: adding interface lo/lo 127.0.0.1:500
May 11 09:28:01 mykerinos pluto[22166]: adding interface lo/lo ::1:500
May 11 09:28:01 mykerinos pluto[22166]: loading secrets from 
"/etc/ipsec.secrets"
May 11 09:28:01 mykerinos pluto[22166]:   loaded private key file 
'/etc/ipsec.d/private/cc-mykerinosKey.pem' (1675 bytes)
May 11 09:28:01 mykerinos pluto[22166]:   loaded private key file 
'/etc/ipsec.d/private/mykerinosKey.pem' (1675 bytes)
May 11 09:28:01 mykerinos pluto[22166]: initiate on demand from 
144.204.48.104:0 to 125.1.7.23:0 proto=0 state: fos_start because: acquire
May 11 09:28:01 mykerinos pluto[22166]: "onera" #1: initiating Main Mode
May 11 09:28:01 mykerinos pluto[22166]: packet from 144.204.128.1:500: ignoring 
informational payload, type NO_PROPOSAL_CHOSEN
May 11 09:28:01 mykerinos pluto[22166]: packet from 144.204.128.1:500: received 
and ignored informational message


....which is exactly what I get when I don't add "ike=..." lines.

So, as far as my understading goes, there's still a problem somewhere
(which can be a problem of my understanding of openswan which is not
that big).

signature.asc
Description: Digital signature

Bug#359183: Bug still here with 2.4.5-3, it seems

Reply via email to