Bug 198126

Summary: Unable to have differing authentication methods with right=%any
Product: [Fedora] Fedora Reporter: lannet
Component: openswanAssignee: Harald Hoyer <harald>
Status: CLOSED CANTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-09-29 12:43:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description lannet 2006-07-10 03:20:21 UTC 
Description of problem:
If the conn sections of ipsec.conf (or the includes) have the remote set to
accept connection from any IP address, typically "right=%any" (a common road
warrior setup), then it is not possible to mix "authby=rsasig" and
"authby=secret" in the various conn sections.  In other words, you cannot have
some road warriors authenticating using pre-shared keys (PSK), and some using
X509 certificates.

The received error message when you try to do"
# ipsec auto --add ROADWARRIOR-TWO

is:
023 authentication method disagrees with "ROADWARRIOR-ONE", which is also for an
unspecified peer
037 attempt to load incomplete connection


Version-Release number of selected component (if applicable):
Openswan 2.4.4


The relevant conn sections are:
conn ROADWARRIOR-ONE
        authby=secret
        auto=add
        dpdaction=clear
        pfs=no
        left=%defaultroute
        leftprotoport=17/1701
        right=%any
        rightid=@RoadWarriorOne
        rightprotoport=17/1701

conn ROADWARRIOR-TWO
        authby=rsasig
        auto=add
        dpdaction=clear
        pfs=no
        left=%defaultroute
        leftid="<left_x509_cert_DN>"
        leftrsasigkey=%cert
        leftcert=roadwarriorone.pem
        leftprotoport=17/1701
        right=%any
        rightid="<right_x509_cert_DN>"
        rightrsasigkey=%cert
Comment 1 lannet 2006-07-10 03:39:35 UTC 
Correction to above:

leftcert=roadwarriorone.pem

should read

leftcert=roadwarriorhost.pem
Comment 2 Harald Hoyer 2006-09-29 12:43:54 UTC 
please discuss this on Users
http://lists.openswan.org/mailman/listinfo/users