Bug#571133: [Openswan dev] Bug#571133: openswan: pluto seems to ignore rightid if rightcert is set to missing file

2010-08-22 Thread Harald Jenny 
On Sun, Aug 22, 2010 at 12:53:12PM +0300, Tuomo Soini wrote:
> Paul Wouters wrote:
> > On Thu, 19 Aug 2010, Harald Jenny wrote:
> 
> > I don't think it would hurt. But we're still looking at why an incorrectly
> > configured configuration that happened to work, "broke".
> > 
> > The check could be changed to see if dst->id.kind is loaded with "%fromcert"
> > before clearing it.
> 
> This cleaning up was added to fix pluto crash with leftid=%fromcert and
> invalid or missing certificate in leftcert=.

Hmmm so there are two ways to clean up this situation: First is to allow a
leftid to be set if it's not %fromcert also when leftcert is missing, the
other is to make it clear in the error message that leftid is unset due to
the missing cert file. Which one does make more sense to you Tuomo?

> 
> -- 
> Tuomo Soini 
> Foobar Linux services
> +358 40 5240030
> Foobar Oy 



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#571133: [Openswan dev] Bug#571133: openswan: pluto seems to ignore rightid if rightcert is set to missing file

2010-08-22 Thread Tuomo Soini 
Paul Wouters wrote:
> On Thu, 19 Aug 2010, Harald Jenny wrote:

> I don't think it would hurt. But we're still looking at why an incorrectly
> configured configuration that happened to work, "broke".
> 
> The check could be changed to see if dst->id.kind is loaded with "%fromcert"
> before clearing it.

This cleaning up was added to fix pluto crash with leftid=%fromcert and
invalid or missing certificate in leftcert=.

-- 
Tuomo Soini 
Foobar Linux services
+358 40 5240030
Foobar Oy 



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#571133: openswan: pluto seems to ignore rightid if rightcert is set to missing file

2010-08-20 Thread Harald Jenny 
On Thu, Aug 19, 2010 at 11:37:47AM -0400, Paul Wouters wrote:
> On Thu, 19 Aug 2010, Harald Jenny wrote:
> 
> >I think I found something:
> >
> >in programs/pluto/connections.c, line 816
> >
> >   if(!valid_cert) {
> >   whack_log(RC_FATAL, "can not load certificate file %s\n"
> > , filename);
> >   /* clear the ID, we're expecting it via %fromcert */
> >   dst->id.kind = ID_NONE;
> >   return;
> >   }
> >
> >This is an incorrect assumption because since version 2.5.16 leftid does not
> >default anymore to %fromcert. On the other hand it seems that in 2.4.12 the
> >leftid value is kept even when no leftcert is present. What implications 
> >would
> >a removal of
> >dst->id.kind = ID_NONE;
> >have?
> 
> I don't think it would hurt.

Ok

> But we're still looking at why an incorrectly
> configured configuration that happened to work, "broke".

Because of the code changes - in 2.4 leftid was automatically set then a
leftcert was set, but on the other hand could be overriden by the leftid
param. Setting a custom leftid after first sourcing the leftid from leftcert
was a reasonable way therefore, on the other hand unsetting the leftid at the
point when the attempt to source the file failed was ok too. In 2.6 the leftid
gets dropped regardless if it from cert or not when the file is invalid.

> 
> The check could be changed to see if dst->id.kind is loaded with "%fromcert"
> before clearing it.

Sounds reasonable.

> 
> Paul

Thanks for your time
Harald

> >>
> >>Paul
> >
> >Kind regards
> >Harald
> >



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#571133: openswan: pluto seems to ignore rightid if rightcert is set to missing file

2010-08-19 Thread Paul Wouters 

On Thu, 19 Aug 2010, Harald Jenny wrote:


I think I found something:

in programs/pluto/connections.c, line 816

   if(!valid_cert) {
   whack_log(RC_FATAL, "can not load certificate file %s\n"
 , filename);
   /* clear the ID, we're expecting it via %fromcert */
   dst->id.kind = ID_NONE;
   return;
   }

This is an incorrect assumption because since version 2.5.16 leftid does not
default anymore to %fromcert. On the other hand it seems that in 2.4.12 the
leftid value is kept even when no leftcert is present. What implications would
a removal of
dst->id.kind = ID_NONE;
have?


I don't think it would hurt. But we're still looking at why an incorrectly
configured configuration that happened to work, "broke".

The check could be changed to see if dst->id.kind is loaded with "%fromcert"
before clearing it.

Paul


Paul


Kind regards
Harald





--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#571133: openswan: pluto seems to ignore rightid if rightcert is set to missing file

2010-08-18 Thread Harald Jenny 
Hi Paul

On Mon, Jun 28, 2010 at 01:05:56PM -0400, Paul Wouters wrote:
> On Mon, 28 Jun 2010, Rene Mayrhofer wrote:
> 
> >On Monday 28 June 2010 07:51:07 Harald Jenny wrote:
> >>Sorry Paul but I don't think the currect behaviour is correct - there is no
> >>indication for the user why *id is ignored and this is not good :-(.
> >I would tend to agree with that...
> 
> On 2.6, it should have a leftid=%fromcert
> 
> This change was made because in 2.4 it ALWAYS took the id from cert, and you 
> could
> not override it. Now it takes the id from leftid= but you have to tell it to 
> pick
> it up from the cert.
> 
> But imho, this has nothing to do with this "bug". If you have a conn with a 
> broken
> leftcert= pointing to a non-existing file, it can't work. It cannot grab the 
> id from
> the cert since the cert is not there. I still dont understand how that could 
> ever "work"
> on 2.4.
> 
> I am getting increasingly frustrated with this. It needs a much better 
> explanation of
> how it can "work". And "work" should be more then "loads the conn that has no 
> chance of
> ever working"

I think I found something:

in programs/pluto/connections.c, line 816

if(!valid_cert) {
whack_log(RC_FATAL, "can not load certificate file %s\n"
  , filename);
/* clear the ID, we're expecting it via %fromcert */
dst->id.kind = ID_NONE;
return;
}

This is an incorrect assumption because since version 2.5.16 leftid does not
default anymore to %fromcert. On the other hand it seems that in 2.4.12 the
leftid value is kept even when no leftcert is present. What implications would
a removal of
dst->id.kind = ID_NONE; 
have?

> 
> Paul

Kind regards
Harald



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#571133: openswan: pluto seems to ignore rightid if rightcert is set to missing file

2010-06-28 Thread Harald Jenny 
Hi Paul,

this config is not supposed to send the cert DN as id correct?

conn me---you
authby=rsasig
ike=aes128-sha1-modp1536
phase2alg=aes128-sha1;modp1536
dpdaction=clear
dpddelay=30
dpdtimeout=300
left=%defaultroute
leftcert=me.pem
right=X.X.X.X
rightsubnet=Y.Y.Y.Y/24
rightid="C=AT, ST=Vienna, L=Vienna, O=Company, OU=IT, CN=you"
auto=add

ipsec auto --up me---you
104 "me---you" #3: STATE_MAIN_I1: initiate
003 "me---you" #3: received Vendor ID payload [RFC 3947] method set to=109
003 "me---you" #3: received Vendor ID payload [Dead Peer Detection]
106 "me---you" #3: STATE_MAIN_I2: sent MI2, expecting MR2
003 "me---you" #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am 
NATed
108 "me---you" #3: STATE_MAIN_I3: sent MI3, expecting MR3
004 "me---you" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG 
cipher=aes_128 prf=oakley_sha group=modp1536}
117 "me---you" #4: STATE_QUICK_I1: initiate
004 "me---you" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
{ESP=>0x08bf5b3b <0x0616cd17 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none 
DPD=enabled}

But:

Jun 28 19:42:06 me pluto[1573]: "me---you" #3: NAT-Traversal: Result using RFC 
3947 (NAT-Traversal): i am NATed
Jun 28 19:42:06 me pluto[1573]: | ***emit ISAKMP Identification Payload (IPsec 
DOI):
Jun 28 19:42:06 me pluto[1573]: |next payload type: ISAKMP_NEXT_CERT
Jun 28 19:42:06 me pluto[1573]: |ID type: ID_DER_ASN1_DN
Jun 28 19:42:06 me pluto[1573]: |Protocol ID: 0
Jun 28 19:42:06 me pluto[1573]: |port: 0
Jun 28 19:42:06 me pluto[1573]: | emitting 95 raw bytes of my identity into 
ISAKMP Identification Payload (IPsec DOI)

dpkg --list openswan
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name  Version   
Description
+++-=-=-==
ii  openswan  1:2.6.27+dfsg-1   
Internet Key Exchange daemon

At least according to the manpage we should send the IP as identification...

Harald


On Mon, Jun 28, 2010 at 01:05:56PM -0400, Paul Wouters wrote:
> On Mon, 28 Jun 2010, Rene Mayrhofer wrote:
> 
> >On Monday 28 June 2010 07:51:07 Harald Jenny wrote:
> >>Sorry Paul but I don't think the currect behaviour is correct - there is no
> >>indication for the user why *id is ignored and this is not good :-(.
> >I would tend to agree with that...
> 
> On 2.6, it should have a leftid=%fromcert
> 
> This change was made because in 2.4 it ALWAYS took the id from cert, and you 
> could
> not override it. Now it takes the id from leftid= but you have to tell it to 
> pick
> it up from the cert.
> 
> But imho, this has nothing to do with this "bug". If you have a conn with a 
> broken
> leftcert= pointing to a non-existing file, it can't work. It cannot grab the 
> id from
> the cert since the cert is not there. I still dont understand how that could 
> ever "work"
> on 2.4.
> 
> I am getting increasingly frustrated with this. It needs a much better 
> explanation of
> how it can "work". And "work" should be more then "loads the conn that has no 
> chance of
> ever working"
> 
> Paul



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#571133: openswan: pluto seems to ignore rightid if rightcert is set to missing file

2010-06-28 Thread Harald Jenny 
On Mon, Jun 28, 2010 at 01:05:56PM -0400, Paul Wouters wrote:
> On Mon, 28 Jun 2010, Rene Mayrhofer wrote:
> 
> >On Monday 28 June 2010 07:51:07 Harald Jenny wrote:
> >>Sorry Paul but I don't think the currect behaviour is correct - there is no
> >>indication for the user why *id is ignored and this is not good :-(.
> >I would tend to agree with that...
> 
> On 2.6, it should have a leftid=%fromcert

Ok

> 
> This change was made because in 2.4 it ALWAYS took the id from cert, and you 
> could
> not override it.

So setting leftid in 2.4 with a cert would have had no effect? But if a 
certificate wasn't there it would use it correct?

> Now it takes the id from leftid= but you have to tell it to pick
> it up from the cert.

Hmmm ok

> 
> But imho, this has nothing to do with this "bug".

Well I think we have to things here, first hte missing cert file and second the 
usage of the id line.

> If you have a conn with a broken
> leftcert= pointing to a non-existing file, it can't work.

Well true but in one of the last mails you said that this cannot be considered 
a bug per se as you told me that one could copy the cert in after adding but 
before starting the connection, so negating to add the connection without an 
existing certificate is not an option for you.

> It cannot grab the id from
> the cert since the cert is not there. I still dont understand how that could 
> ever "work"
> on 2.4.

:-) I guess because the cert was not there it just used the id - please see the 
pseudo code:

2.4

IF (CERT)
  ADD_CERT
ENDIF
ADD_ID

2.6

IF (CERT)
  ADD_CERT
  ADD_ID
ENDIF

> 
> I am getting increasingly frustrated with this.

Sorry but I see the point the user tries to make and as without users software 
won't be used i guess we should try to find some kind of solution?

> It needs a much better explanation of
> how it can "work". And "work" should be more then "loads the conn that has no 
> chance of
> ever working"

Please look above I guess the pseudo code is just how it worked. Btw, how is it 
supposed to work to later add the cert to the conn when the id cannot be 
determined at the time of adding the conn?

> 
> Paul

Harald



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#571133: openswan: pluto seems to ignore rightid if rightcert is set to missing file

2010-06-28 Thread Paul Wouters 

On Mon, 28 Jun 2010, Rene Mayrhofer wrote:


On Monday 28 June 2010 07:51:07 Harald Jenny wrote:

Sorry Paul but I don't think the currect behaviour is correct - there is no
indication for the user why *id is ignored and this is not good :-(.

I would tend to agree with that...


On 2.6, it should have a leftid=%fromcert

This change was made because in 2.4 it ALWAYS took the id from cert, and you 
could
not override it. Now it takes the id from leftid= but you have to tell it to 
pick
it up from the cert.

But imho, this has nothing to do with this "bug". If you have a conn with a 
broken
leftcert= pointing to a non-existing file, it can't work. It cannot grab the id 
from
the cert since the cert is not there. I still dont understand how that could ever 
"work"
on 2.4.

I am getting increasingly frustrated with this. It needs a much better 
explanation of
how it can "work". And "work" should be more then "loads the conn that has no 
chance of
ever working"

Paul



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#571133: openswan: pluto seems to ignore rightid if rightcert is set to missing file

2010-06-27 Thread Rene Mayrhofer 
On Monday 28 June 2010 07:51:07 Harald Jenny wrote:
> Sorry Paul but I don't think the currect behaviour is correct - there is no
> indication for the user why *id is ignored and this is not good :-(.
I would tend to agree with that...

best regards,
Rene



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#571133: openswan: pluto seems to ignore rightid if rightcert is set to missing file

2010-06-27 Thread Harald Jenny 
On Sun, Jun 27, 2010 at 07:10:27PM -0400, Paul Wouters wrote:
> On Mon, 28 Jun 2010, Harald Jenny wrote:
> 
> >>I am not sure what you mean. If you use a conn with an invalid leftcert= and
> >>it does not work, what exactly is the bug?
> >
> >That it worked in 2.4 and not in 2.6 ;-)
> 
> I'm still unsure of that until proven :P

Well what prove do you want? I have tested it yesterday night...

> 
> >(what the bugreport said) - the leftid gets ignored in 2.6 which is a change 
> >in behaviour. Maybe it would be more beneficial to decline to add a 
> >connection with a non-existant certificate file in the first place?
> 
> But if they load the conn, then copy in the certificate, it can work. I think
> the current behaviour is fine. When needed and missing, complain.

Sorry Paul but I don't think the currect behaviour is correct - there is no
indication for the user why *id is ignored and this is not good :-(.

> 
> Paul

Harald



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#571133: openswan: pluto seems to ignore rightid if rightcert is set to missing file

2010-06-27 Thread Paul Wouters 

On Mon, 28 Jun 2010, Harald Jenny wrote:


I am not sure what you mean. If you use a conn with an invalid leftcert= and
it does not work, what exactly is the bug?


That it worked in 2.4 and not in 2.6 ;-)


I'm still unsure of that until proven :P


(what the bugreport said) - the leftid gets ignored in 2.6 which is a change in 
behaviour. Maybe it would be more beneficial to decline to add a connection 
with a non-existant certificate file in the first place?


But if they load the conn, then copy in the certificate, it can work. I think
the current behaviour is fine. When needed and missing, complain.

Paul



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#571133: openswan: pluto seems to ignore rightid if rightcert is set to missing file

2010-06-27 Thread Harald Jenny 
On Sun, Jun 27, 2010 at 06:17:21PM -0400, Paul Wouters wrote:
> On Mon, 28 Jun 2010, Harald Jenny wrote:
> 
> >>>Does the problem still persist when you omit the line who refers
> >> to the non-existent certificate?
> >>
> >>No. Actually that was the only solution I've found to get it
> >>working again.
> >
> >And again right - Paul, could you point me to where to look for this issue?
> 
> I am not sure what you mean. If you use a conn with an invalid leftcert= and
> it does not work, what exactly is the bug?

That it worked in 2.4 and not in 2.6 ;-) (what the bugreport said) - the leftid 
gets ignored in 2.6 which is a change in behaviour. Maybe it would be more 
beneficial to decline to add a connection with a non-existant certificate file 
in the first place?

> 
> Paul

Harald



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#571133: openswan: pluto seems to ignore rightid if rightcert is set to missing file

2010-06-27 Thread Paul Wouters 

On Mon, 28 Jun 2010, Harald Jenny wrote:


Does the problem still persist when you omit the line who refers

 to the non-existent certificate?

No. Actually that was the only solution I've found to get it
working again.


And again right - Paul, could you point me to where to look for this issue?


I am not sure what you mean. If you use a conn with an invalid leftcert= and
it does not work, what exactly is the bug?

Paul



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#571133: openswan: pluto seems to ignore rightid if rightcert is set to missing file

2010-06-27 Thread Harald Jenny 
On Fri, Jun 25, 2010 at 08:28:39PM +0200, Benjamin S. wrote:
> 
> Dear Harald,

Hello Benjamin

> 
> On Wed, 23 Jun 2010 10:27:32 +0200
> Harald Jenny  wrote:
> 
> > I talked with Paul about your issue and he is not sure how your
>  setup worked in the first place as the config you speficied should
>  be considered invalid.
> 
> Unfortunately I have no system with lenny anymore and thus I can't
> test it again. But I'm almost sure that the configuration worked
> with it and stopped working after the upgrade to testing.

Well as I'm a really nasty guy I tested your setup in my environment and found 
that your report is 100% correct...

> 
> Can you explain why it is invalid? If it is because of the
> non-existent certificate would there be the possibility to add a
> warning or an error message that complains about it?

Yes that's the reason - there is already a message

Jun 27 23:53:20 i-am pluto[28146]:   could not open host cert file 
'/etc/ipsec.d/certs/testing-cert.pem'

but it's logged when you start openswan (which can be quite some lines above 
the connection initiation).

> 
> > Does the problem still persist when you omit the line who refers
>  to the non-existent certificate?
> 
> No. Actually that was the only solution I've found to get it
> working again.

And again right - Paul, could you point me to where to look for this issue?

> 
> 
> Kind regards
> Benjamin

Wish you a good night
Harald



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#571133: openswan: pluto seems to ignore rightid if rightcert is set to missing file

2010-06-25 Thread Benjamin S. 

Dear Harald,

On Wed, 23 Jun 2010 10:27:32 +0200
Harald Jenny  wrote:

> I talked with Paul about your issue and he is not sure how your
 setup worked in the first place as the config you speficied should
 be considered invalid.

Unfortunately I have no system with lenny anymore and thus I can't
test it again. But I'm almost sure that the configuration worked
with it and stopped working after the upgrade to testing.

Can you explain why it is invalid? If it is because of the
non-existent certificate would there be the possibility to add a
warning or an error message that complains about it?

> Does the problem still persist when you omit the line who refers
 to the non-existent certificate?

No. Actually that was the only solution I've found to get it
working again.


Kind regards
Benjamin



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#571133: openswan: pluto seems to ignore rightid if rightcert is set to missing file

2010-06-23 Thread Harald Jenny 
Dear Benjamin,

I talked with Paul about your issue and he is not sure how your setup worked in 
the first place as the config you speficied should be considered invalid. Does 
the problem still persist when you omit the line who refers to the non-existent 
certificate?

Kind regards
Harald



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#571133: openswan: pluto seems to ignore rightid if rightcert is set to missing file

2010-02-25 Thread Paul Wouters 

On Thu, 25 Feb 2010, Benjamin S. wrote:


Subject: openswan: pluto seems to ignore rightid if rightcert is set to
missing file

Paul wrote:

Try using leftid=%fromcert
You might also want to add leftsendcert=always


Both options have no influence.


Hmm, then perhaps a log would be useful to see what is going on.


May I ask why you are suggesting me these options? Do you think my
configuration is wrong?


I'm trying to understand the issue to see if this is a bug we need
to fix (I'm upstream, an openswan developer) I guess I misuderstood
that the config file shown was on the other side then the log msg.

I'll file it as bug on bugs.openswan.org

Paul



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#571133: openswan: pluto seems to ignore rightid if rightcert is set to missing file

2010-02-25 Thread Benjamin S. 

Paul wrote: 
> Try using leftid=%fromcert
> You might also want to add leftsendcert=always

Both options have no influence.



May I ask why you are suggesting me these options? Do you think my
configuration is wrong?


If not there is no need to suggesting other options to me because
everything works fine without rightcert set and I had no need to
set in anyway. I have set it only because I have started with the
same configuration on the server and the client.

Thus I don't think anyone can do sth. for me unless my
configuration is wrong. Instead it can be clarified if this
behaviour is new and if it is intended. If so maybe the maintainer
wants to document it somewhere.





-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#571133: openswan: pluto seems to ignore rightid if rightcert is set to missing file

2010-02-23 Thread Benjamin S. 
Package: openswan
Version: 1:2.6.23+dfsg-1
Severity: normal


Since I upgraded from lenny to testing my client was unable to connect to a 
server which is also using openswan but still lenny.

ipsec.conf at clientside was:

conn leftright
leftsourceip=192.168.111.5
leftsubnet=192.168.111.0/24
leftrsasigkey=%cert
leftcert=clientCert.pem
left=%defaultroute
leftid="C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=client.domain/emailaddress...@xx"
rightid="C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=server.domain, e...@xx"
right=server.dyndns.org
rightsubnet=192.168.113.0/24
rightrsasigkey=%cert
rightcert=serverCert.pem
auto=start

The serverCert.pem is only available on the server and the clientCert.pem only 
on the client.

Error from ipsec barf:
Feb 23 18:02:38 XXX pluto[18180]: "leftright" #1: no crl from issuer "C=XX, 
ST=XX, L=XX, O=XX, OU=XX, CN=, E=" found (strict=no)
Feb 23 18:02:38 XXX pluto[18180]: | authcert list locked by 
'verify_x509cert'
Feb 23 18:02:38 XXX pluto[18180]: | signature algorithm: 
'md5WithRSAEncryption'
Feb 23 18:02:38 XXX pluto[18180]: |   digest:  44 49 e6 32  93 b1 8e 43  42 
36 9b bd  04 53 f8 ab
Feb 23 18:02:38 XXX pluto[18180]: | authcert list unlocked by 
'verify_x509cert'
Feb 23 18:02:38 XXX pluto[18180]: | reached self-signed root ca
Feb 23 18:02:38 XXX pluto[18180]: | Public key validated
Feb 23 18:02:38 XXX pluto[18180]: "leftright" #1: we require peer to have 
ID '', but peer declares 'C=XX, ST=XX, L=XX, O=XX, OU=XX, 
CN=, E='


After I have removed the parameter rightcert=serverCert.pem the connection 
works again. I don't know if it is mandatory that the file is missing to 
reproduce this behaviour.


Although I am not sure if it is a bug or not I report it to be on the safe 
side. At least I have seen many howtos which are using rightcert and leftcert 
in one section.



-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31.7 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openswan depends on:
ii  bind9-host [host]  1:9.6.1.dfsg.P3-1 Version of 'host' bundled with BIN
ii  bsdmainutils   8.0.6 collection of more utilities from 
ii  debconf [debconf-2.0]  1.5.28Debian configuration management sy
ii  debianutils3.2.2 Miscellaneous utilities specific t
ii  iproute20091226-1networking and traffic control too
ii  ipsec-tools1:0.7.1-1.6   IPsec tools for Linux
ii  libc6  2.10.2-2  GNU C Library: Shared libraries
ii  libcurl3   7.19.7-1  Multi-protocol file transfer libra
ii  libgmp3c2  2:4.3.2+dfsg-1Multiprecision arithmetic library
ii  libldap-2.4-2  2.4.17-2.1OpenLDAP libraries
ii  libpam0g   1.1.1-1   Pluggable Authentication Modules l
ii  openssl0.9.8k-8  Secure Socket Layer (SSL) binary a

openswan recommends no packages.

Versions of packages openswan suggests:
ii  curl  7.19.7-1   Get a file from an HTTP, HTTPS or 
pn  openswan-modules-source | lin  (no description available)

-- debconf information excluded



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org