Bug#359183: marked as done (openswan: Unable to use "ike=" and "leftxauthclient=yes" simultaneously)

Thu, 06 Jan 2011 14:57:37 -0800 

Your message dated Thu, 6 Jan 2011 23:52:56 +0100
with message-id <[email protected]>
and subject line Bug#359183: fixed in openswan 1:2.4.12+dfsg-1
has caused the Debian Bug report #359183,
regarding openswan: Unable to use "ike=" and "leftxauthclient=yes" 
simultaneously
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
359183: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=359183
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: openswan
Version: 1:2.4.4-3.1
Severity: normal

This is probably very likely to be reported upstream and maybe even known
from upstream (available docs are unclear about this).

When I use the following connection settings:

conn onera
    left=%defaultroute
    leftrsasigkey=%cert
    leftcert=mykerinos.cer
    leftsendcert=always
    right=144.204.128.1
    rightsubnet=125.1.0.0/16
    rightid="[email protected], C=FR, ST=Ile de France, L=CHATILLON, 
O=ONERA, OU=DRIS, CN=144.204.48.1"
    rightxauthserver=yes
    ike=aes256-md5
    auto=start

I can initiate the conneciton with my peer:

Mar 13 10:36:52 mykerinos pluto[16411]: "onera" #1: initiating Main Mode
Mar 13 10:36:52 mykerinos pluto[16411]: "onera" #1: received Vendor ID payload 
[Dead Peer Detection]
Mar 13 10:36:52 mykerinos pluto[16411]: "onera" #1: ignoring unknown Vendor ID 
payload [afca071368a1f1c96b8696fc77570100]
Mar 13 10:36:52 mykerinos pluto[16411]: "onera" #1: ignoring unknown Vendor ID 
payload [1d6e178f6c2c0be284985465450fe9d4]
Mar 13 10:36:52 mykerinos pluto[16411]: "onera" #1: transition from state 
STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 13 10:36:52 mykerinos pluto[16411]: "onera" #1: STATE_MAIN_I2: sent MI2, 
expecting MR2
Mar 13 10:36:52 mykerinos pluto[16411]: "onera" #1: I am sending my cert
Mar 13 10:36:52 mykerinos pluto[16411]: "onera" #1: I am sending a certificate 
request
Mar 13 10:36:52 mykerinos pluto[16411]: "onera" #1: transition from state 
STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 13 10:36:52 mykerinos pluto[16411]: "onera" #1: STATE_MAIN_I3: sent MI3, 
expecting MR3
Mar 13 10:36:53 mykerinos pluto[16411]: "onera" #1: Main mode peer ID is 
ID_DER_ASN1_DN: '[email protected], C=FR, ST=Ile de France, 
L=CHATILLON, O=ONERA, OU=DRIS, CN=144.204.48.1'
Mar 13 10:36:53 mykerinos pluto[16411]: "onera" #1: no crl from issuer "C=FR, 
ST=92, L=CHATILLON, O=onera, CN=lip6" found (strict=no)
Mar 13 10:36:53 mykerinos pluto[16411]: "onera" #1: transition from state 
STATE_MAIN_I3 to state STATE_MAIN_I4
Mar 13 10:36:53 mykerinos pluto[16411]: "onera" #1: STATE_MAIN_I4: ISAKMP SA 
established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_md5 group=modp1024}
Mar 13 10:36:53 mykerinos pluto[16411]: "onera" #2: initiating Quick Mode 
RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Mar 13 10:36:53 mykerinos pluto[16411]: "onera" #1: received MODECFG message 
when in state STATE_MAIN_I4, and we aren't xauth client
Mar 13 10:37:35 mykerinos last message repeated 3 times

but it stops there because my peer uses XAUTH for authentication.

Then I add "xauthclient=yes" to my connection settings:

Mar 13 11:32:17 mykerinos pluto[18839]: "onera" #1: initiating Main Mode
Mar 13 11:32:17 mykerinos pluto[18839]: packet from 144.204.128.1:500: ignoring 
informational payload, type NO_PROPOSAL_CHOSEN
Mar 13 11:32:17 mykerinos pluto[18839]: packet from 144.204.128.1:500: received 
and ignored informational message
Mar 13 11:32:27 mykerinos pluto[18839]: packet from 144.204.128.1:500: ignoring 
informational payload, type NO_PROPOSAL_CHOSEN
Mar 13 11:32:27 mykerinos pluto[18839]: packet from 144.204.128.1:500: received 
and ignored informational message
Mar 13 11:32:35 mykerinos pluto[18839]: shutting down
Mar 13 11:32:35 mykerinos pluto[18839]: forgetting secrets
Mar 13 11:32:35 mykerinos pluto[18839]: "onera": deleting connection

Here, it appear that IKE negotiation immediately fails because the two peers
do not agree on IKE settings, just like it happens if I don't use the
"ike=aes256-md5" line.

I suspect that "xauthclient=yes" somewhat overrides the "ike=" settings,
making it impossible to use both at the same time. Some online documentation
report this was a bug in Openswan 2.2.* but, well, we're now with 2.4...:-)



-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to fr_FR.UTF-8)

Versions of packages openswan depends on:
ii  bind9-host [host]             1:9.3.2-2  Version of 'host' bundled with BIN
ii  bsdmainutils                  6.1.3      collection of more utilities from 
ii  debconf [debconf-2.0]         1.4.72     Debian configuration management sy
ii  debianutils                   2.15.3     Miscellaneous utilities specific t
ii  iproute                       20051007-3 Professional tools to control the 
ii  ipsec-tools                   1:0.6.5-1  IPsec tools for Linux
ii  libc6                         2.3.6-4    GNU C Library: Shared libraries an
ii  libcurl3                      7.15.3-1   Multi-protocol file transfer libra
ii  libgmp3c2                     4.1.4-11   Multiprecision arithmetic library
ii  libldap2                      2.1.30-13  OpenLDAP libraries
ii  libpam0g                      0.79-3.1   Pluggable Authentication Modules l
ii  libssl0.9.8                   0.9.8a-8   SSL shared libraries
ii  makedev                       2.3.1-80   creates device files in /dev
ii  openssl                       0.9.8a-8   Secure Socket Layer (SSL) binary a

openswan recommends no packages.

-- debconf information:
  openswan/existing_x509_key_filename:
* openswan/x509_state_name: Hauts de Seine
* openswan/rsa_key_length: 2048
* openswan/restart: true
* openswan/start_level: earliest
* openswan/enable-oe: false
* openswan/existing_x509_certificate: false
  openswan/existing_x509_certificate_filename:
* openswan/create_rsa_key: true
* openswan/x509_email_address: [email protected]
* openswan/x509_country_code: FR
* openswan/x509_self_signed: false
* openswan/x509_organizational_unit: Département Réseaux et Informatique 
Scientifique
* openswan/x509_locality_name: Châtillon
* openswan/x509_common_name: mykerinos.onera
* openswan/rsa_key_type: x509
* openswan/x509_organization_name: ONERA

--- End Message ---
--- Begin Message --- 
Source: openswan
Source-Version: 1:2.4.12+dfsg-1

As you filed this bug report against Debian Lenny please use the version from
Debian Lenny Backports (1:2.6.28+dfsg-5~bpo50+1) available from the Backports
repository (please see http://backports.debian.org/Instructions/ for adding a
line to sources.list and http://backports.debian.org/Mirrors/ for a list of
mirrors).

Kind regards
Harald Jenny

--- End Message ---

Reply via email to