Package: openswan Version: 1:2.4.12+dfsg-1.3+lenny1 Severity: important Setting up a "road warrior" configuration with pre shared keys. Laptop IP address is 192.168.4.12 (NATted, obviously, and variable by DHCP according to the host network). Ipsec gateway address is 213.170.149.180.
man ipsec.secrets states that %any can be used to match any IP (host or peer) but this does not seem to work at all, at least for pre shared keys (I haven't got a certificate secured connection yet to test that with). Test 1: Connection fails to match local address using %any: # cat /etc/ipsec.secrets 213.170.149.180 %any: PSK "secretsecret" # ipsec auto --rereadsecrets # ipsec auto --down PSK-CLIENT # ipsec auto --up PSK-CLIENT 104 "PSK-CLIENT" #8: STATE_MAIN_I1: initiate 003 "PSK-CLIENT" #8: ignoring unknown Vendor ID payload [4f455a7e4261425d725c705f] 003 "PSK-CLIENT" #8: received Vendor ID payload [Dead Peer Detection] 003 "PSK-CLIENT" #8: received Vendor ID payload [RFC 3947] method set to=109 003 "PSK-CLIENT" #8: Can't authenticate: no preshared key found for `192.168.4.12' and `213.170.149.180'. Attribute OAKLEY_AUTHENTICATION_METHOD 003 "PSK-CLIENT" #8: no acceptable Oakley Transform 214 "PSK-CLIENT" #8: STATE_MAIN_I1: NO_PROPOSAL_CHOSEN Test 2: Connection also fails to match peer address using %any: # cat /etc/ipsec.secrets %any 192.168.4.12: PSK "secretsecret" # ipsec auto --rereadsecrets # ipsec auto --down PSK-CLIENT # ipsec auto --up PSK-CLIENT 104 "PSK-CLIENT" #8: STATE_MAIN_I1: initiate 003 "PSK-CLIENT" #8: ignoring unknown Vendor ID payload [4f455a7e4261425d725c705f] 003 "PSK-CLIENT" #8: received Vendor ID payload [Dead Peer Detection] 003 "PSK-CLIENT" #8: received Vendor ID payload [RFC 3947] method set to=109 003 "PSK-CLIENT" #8: Can't authenticate: no preshared key found for `192.168.4.12' and `213.170.149.180'. Attribute OAKLEY_AUTHENTICATION_METHOD 003 "PSK-CLIENT" #8: no acceptable Oakley Transform 214 "PSK-CLIENT" #8: STATE_MAIN_I1: NO_PROPOSAL_CHOSEN Test 3: Connection only works if both local and peer addresses are specifically given: # cat /etc/ipsec.secrets 213.170.149.180 192.168.4.12: PSK "secretsecret" # ipsec auto --rereadsecrets # ipsec auto --down PSK-CLIENT # ipsec auto --up PSK-CLIENT 104 "PSK-CLIENT" #11: STATE_MAIN_I1: initiate 003 "PSK-CLIENT" #11: ignoring unknown Vendor ID payload [4f455a7e4261425d725c705f] 003 "PSK-CLIENT" #11: received Vendor ID payload [Dead Peer Detection] 003 "PSK-CLIENT" #11: received Vendor ID payload [RFC 3947] method set to=109 106 "PSK-CLIENT" #11: STATE_MAIN_I2: sent MI2, expecting MR2 003 "PSK-CLIENT" #11: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed 108 "PSK-CLIENT" #11: STATE_MAIN_I3: sent MI3, expecting MR3 004 "PSK-CLIENT" #11: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536} 117 "PSK-CLIENT" #12: STATE_QUICK_I1: initiate Most of the ipsec howtos suggest that one should start by working with a pre-shared key before adding the complexity of certificate management so this is a bit of an awkward problem as one cannot predict the local address on a road warrior setup. The problem is fixed in current unstable (openswan 1:2.6.20+dfsg-4.1) but this will be a cause of hair loss for Lenny users for some time to come. Upstream changelog for 2.6.18 refers to a bug fix: #228: Problems with %any matching in ipsec.secrets? [David McCullough] Is there any way this problem could be fixed in Lenny openswan 2.4.x, please, perhaps using the patch from Xcelerance BTS or a backport of the 2.6.18 fix ? http://bugs.xelerance.com/view.php?id=228 -- System Information: Debian Release: 5.0 APT prefers stable APT policy: (800, 'stable'), (500, 'oldstable'), (3, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org