Bug 198126 - Unable to have differing authentication methods with right=%any
Unable to have differing authentication methods with right=%any
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: openswan (Show other bugs)
4
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Harald Hoyer
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-07-09 23:20 EDT by lannet
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-29 08:43:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description lannet 2006-07-09 23:20:21 EDT
Description of problem:
If the conn sections of ipsec.conf (or the includes) have the remote set to
accept connection from any IP address, typically "right=%any" (a common road
warrior setup), then it is not possible to mix "authby=rsasig" and
"authby=secret" in the various conn sections.  In other words, you cannot have
some road warriors authenticating using pre-shared keys (PSK), and some using
X509 certificates.

The received error message when you try to do"
# ipsec auto --add ROADWARRIOR-TWO

is:
023 authentication method disagrees with "ROADWARRIOR-ONE", which is also for an
unspecified peer
037 attempt to load incomplete connection


Version-Release number of selected component (if applicable):
Openswan 2.4.4


The relevant conn sections are:
conn ROADWARRIOR-ONE
        authby=secret
        auto=add
        dpdaction=clear
        pfs=no
        left=%defaultroute
        leftprotoport=17/1701
        right=%any
        rightid=@RoadWarriorOne
        rightprotoport=17/1701

conn ROADWARRIOR-TWO
        authby=rsasig
        auto=add
        dpdaction=clear
        pfs=no
        left=%defaultroute
        leftid="<left_x509_cert_DN>"
        leftrsasigkey=%cert
        leftcert=roadwarriorone.pem
        leftprotoport=17/1701
        right=%any
        rightid="<right_x509_cert_DN>"
        rightrsasigkey=%cert
Comment 1 lannet 2006-07-09 23:39:35 EDT
Correction to above:

leftcert=roadwarriorone.pem

should read

leftcert=roadwarriorhost.pem
Comment 2 Harald Hoyer 2006-09-29 08:43:54 EDT
please discuss this on Users@openswan.org
http://lists.openswan.org/mailman/listinfo/users

Note You need to log in before you can comment on or make changes to this bug.