what you experience is a well-known deficiency of vanilla FreeS/WAN that does not have anything to do with X.509 certificate support. When a roadwarrior initiates a connection then the freeswan gateway chooses the first roadwarrior connection definition it finds in its chained list of connections and uses this set of encryption/authentication parameters defined by that tentative connection to match it against the roadwarrior proposal. Thus with the order
conn rw1
authby=psk
|
conn rw2
authby=rsasigonly PSK roadwarrior connections are accepted whereas with
conn rw2
authby=rsasig
|
conn rw1
authby=pskonly RSA authentication is possible. Similiar things happen when one roadwarrior connection defines MOD1024 and another one MOD1536. FreeS/WAN is not able to do a closest match among the available roadwarrior connection definitions based on the actual parameters proposed by the roadwarrior.
Dominique Blas wrote:
Hi, here is the next step of my previous mail speaking of MODP1536 proposition disappearing between a client and a FreeS/wan server.
I. Consider the following schema with 4 Frees/Wan gateways :
M --- X509 ---> B <--- PSK --- V <-- PSK --- R
M and V are clients of B and R is a client of V.
Now, if I tried to do this (switching V from PSK mode to X509 mode)
M --- X509 ---> B <--- X509 --- V
V can't establish the tunnel because of lack of MODP1536 when decoded by B ! Of course, in B's log you can see that MODP1536 is part of the proposition sent. But on the B side MODP1536 has vanished !
Solution : If I cancel the part of B"s ipsec.conf speaking of PSK, then bind betwenn V and B using X509 is working.
!?
II. So, now, having resolving this problem, I get that :
M --- X509 ---> B <--- X509 --- V <-- PSK --- R
But tunnels between R and V don't work anymore !
Solution : For them to work I need to comment or cancel the V's server part of ipsec.conf that speaks of X509 !
(Killing the server part doesn't disturb the client part so X509 tunnel between V and B is keeping on working).
That is to say that whatever the version of FreesWan I have I can't have a dual server configuration : X509 certificates and PSK.
I MUST have : Y -- X509 --> X or Y -- PSK --> X
but Y -- X509 --> X <-- PSK -- Z
IS NOT POSSIBLE !
What forbids me to smoothly migrate from PSK to X509 on the same gateway,
Desesperate I am, If you can do something you're welcome,
db
-- ======================================================================= Andreas Steffen e-mail: [EMAIL PROTECTED] strongSec GmbH home: http://www.strongsec.com Alter Zürichweg 20 phone: +41 1 730 80 64 CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65 ==========================================[strong internet security]===
