Hi, here is the next step of my previous mail speaking of MODP1536 proposition
disappearing between a client and a FreeS/wan server.
I. Consider the following schema with 4 Frees/Wan gateways :
M --- X509 ---> B <--- PSK --- V <-- PSK --- R
M and V are clients of B and R is a client of V.
Now, if I tried to do this (switching V from PSK mode to X509 mode)
M --- X509 ---> B <--- X509 --- V
V can't establish the tunnel because of lack of MODP1536 when decoded by B !
Of course, in B's log you can see that MODP1536 is part of the proposition sent. But
on the B side MODP1536 has vanished !
Solution :
If I cancel the part of B"s ipsec.conf speaking of PSK, then bind betwenn V
and B using X509 is working.
!?
II. So, now, having resolving this problem, I get that :
M --- X509 ---> B <--- X509 --- V <-- PSK --- R
But tunnels between R and V don't work anymore !
Solution :
For them to work I need to comment or cancel the V's server part of ipsec.conf
that speaks of X509 !
(Killing the server part doesn't disturb the client part so X509 tunnel
between V and B is keeping on working).
That is to say that whatever the version of FreesWan I have I can't have a dual server
configuration :
X509 certificates and PSK.
I MUST have :
Y -- X509 --> X
or
Y -- PSK --> X
but
Y -- X509 --> X <-- PSK -- Z
IS NOT POSSIBLE !
What forbids me to smoothly migrate from PSK to X509 on the same gateway,
Desesperate I am, If you can do something you're welcome,
db
