Package: openswan
Version: 1:2.4.4-3.1
Severity: normal
This is probably very likely to be reported upstream and maybe even known
from upstream (available docs are unclear about this).
When I use the following connection settings:
conn onera
left=%defaultroute
leftrsasigkey=%cert
leftcert=mykerinos.cer
leftsendcert=always
right=144.204.128.1
rightsubnet=125.1.0.0/16
rightid="[EMAIL PROTECTED], C=FR, ST=Ile de France, L=CHATILLON, O=ONERA,
OU=DRIS, CN=144.204.48.1"
rightxauthserver=yes
ike=aes256-md5
auto=start
I can initiate the conneciton with my peer:
Mar 13 10:36:52 mykerinos pluto[16411]: "onera" #1: initiating Main Mode
Mar 13 10:36:52 mykerinos pluto[16411]: "onera" #1: received Vendor ID payload
[Dead Peer Detection]
Mar 13 10:36:52 mykerinos pluto[16411]: "onera" #1: ignoring unknown Vendor ID
payload [afca071368a1f1c96b8696fc77570100]
Mar 13 10:36:52 mykerinos pluto[16411]: "onera" #1: ignoring unknown Vendor ID
payload [1d6e178f6c2c0be284985465450fe9d4]
Mar 13 10:36:52 mykerinos pluto[16411]: "onera" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 13 10:36:52 mykerinos pluto[16411]: "onera" #1: STATE_MAIN_I2: sent MI2,
expecting MR2
Mar 13 10:36:52 mykerinos pluto[16411]: "onera" #1: I am sending my cert
Mar 13 10:36:52 mykerinos pluto[16411]: "onera" #1: I am sending a certificate
request
Mar 13 10:36:52 mykerinos pluto[16411]: "onera" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 13 10:36:52 mykerinos pluto[16411]: "onera" #1: STATE_MAIN_I3: sent MI3,
expecting MR3
Mar 13 10:36:53 mykerinos pluto[16411]: "onera" #1: Main mode peer ID is
ID_DER_ASN1_DN: '[EMAIL PROTECTED], C=FR, ST=Ile de France, L=CHATILLON,
O=ONERA, OU=DRIS, CN=144.204.48.1'
Mar 13 10:36:53 mykerinos pluto[16411]: "onera" #1: no crl from issuer "C=FR,
ST=92, L=CHATILLON, O=onera, CN=lip6" found (strict=no)
Mar 13 10:36:53 mykerinos pluto[16411]: "onera" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Mar 13 10:36:53 mykerinos pluto[16411]: "onera" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_md5 group=modp1024}
Mar 13 10:36:53 mykerinos pluto[16411]: "onera" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Mar 13 10:36:53 mykerinos pluto[16411]: "onera" #1: received MODECFG message
when in state STATE_MAIN_I4, and we aren't xauth client
Mar 13 10:37:35 mykerinos last message repeated 3 times
but it stops there because my peer uses XAUTH for authentication.
Then I add "xauthclient=yes" to my connection settings:
Mar 13 11:32:17 mykerinos pluto[18839]: "onera" #1: initiating Main Mode
Mar 13 11:32:17 mykerinos pluto[18839]: packet from 144.204.128.1:500: ignoring
informational payload, type NO_PROPOSAL_CHOSEN
Mar 13 11:32:17 mykerinos pluto[18839]: packet from 144.204.128.1:500: received
and ignored informational message
Mar 13 11:32:27 mykerinos pluto[18839]: packet from 144.204.128.1:500: ignoring
informational payload, type NO_PROPOSAL_CHOSEN
Mar 13 11:32:27 mykerinos pluto[18839]: packet from 144.204.128.1:500: received
and ignored informational message
Mar 13 11:32:35 mykerinos pluto[18839]: shutting down
Mar 13 11:32:35 mykerinos pluto[18839]: forgetting secrets
Mar 13 11:32:35 mykerinos pluto[18839]: "onera": deleting connection
Here, it appear that IKE negotiation immediately fails because the two peers
do not agree on IKE settings, just like it happens if I don't use the
"ike=aes256-md5" line.
I suspect that "xauthclient=yes" somewhat overrides the "ike=" settings,
making it impossible to use both at the same time. Some online documentation
report this was a bug in Openswan 2.2.* but, well, we're now with 2.4...:-)
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to fr_FR.UTF-8)
Versions of packages openswan depends on:
ii bind9-host [host] 1:9.3.2-2 Version of 'host' bundled with BIN
ii bsdmainutils 6.1.3 collection of more utilities from
ii debconf [debconf-2.0] 1.4.72 Debian configuration management sy
ii debianutils 2.15.3 Miscellaneous utilities specific t
ii iproute 20051007-3 Professional tools to control the
ii ipsec-tools 1:0.6.5-1 IPsec tools for Linux
ii libc6 2.3.6-4 GNU C Library: Shared libraries an
ii libcurl3 7.15.3-1 Multi-protocol file transfer libra
ii libgmp3c2 4.1.4-11 Multiprecision arithmetic library
ii libldap2 2.1.30-13 OpenLDAP libraries
ii libpam0g 0.79-3.1 Pluggable Authentication Modules l
ii libssl0.9.8 0.9.8a-8 SSL shared libraries
ii makedev 2.3.1-80 creates device files in /dev
ii openssl 0.9.8a-8 Secure Socket Layer (SSL) binary a
openswan recommends no packages.
-- debconf information:
openswan/existing_x509_key_filename:
* openswan/x509_state_name: Hauts de Seine
* openswan/rsa_key_length: 2048
* openswan/restart: true
* openswan/start_level: earliest
* openswan/enable-oe: false
* openswan/existing_x509_certificate: false
openswan/existing_x509_certificate_filename:
* openswan/create_rsa_key: true
* openswan/x509_email_address: [EMAIL PROTECTED]
* openswan/x509_country_code: FR
* openswan/x509_self_signed: false
* openswan/x509_organizational_unit: Département Réseaux et Informatique
Scientifique
* openswan/x509_locality_name: Châtillon
* openswan/x509_common_name: mykerinos.onera
* openswan/rsa_key_type: x509
* openswan/x509_organization_name: ONERA
