Package: openswan
Version: 1:2.6.23+dfsg-1
Severity: normal
Since I upgraded from lenny to testing my client was unable to connect to a
server which is also using openswan but still lenny.
ipsec.conf at clientside was:
conn leftright
leftsourceip=192.168.111.5
leftsubnet=192.168.111.0/24
leftrsasigkey=%cert
leftcert=clientCert.pem
left=%defaultroute
leftid="C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=client.domain/emailaddress...@xx"
rightid="C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=server.domain, e...@xx"
right=server.dyndns.org
rightsubnet=192.168.113.0/24
rightrsasigkey=%cert
rightcert=serverCert.pem
auto=start
The serverCert.pem is only available on the server and the clientCert.pem only
on the client.
Error from ipsec barf:
Feb 23 18:02:38 XXXXXXX pluto[18180]: "leftright" #1: no crl from issuer "C=XX,
ST=XX, L=XX, O=XX, OU=XX, CN=<CA>, E=<mailaddress>" found (strict=no)
Feb 23 18:02:38 XXXXXXX pluto[18180]: | authcert list locked by
'verify_x509cert'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | signature algorithm:
'md5WithRSAEncryption'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | digest: 44 49 e6 32 93 b1 8e 43 42
36 9b bd 04 53 f8 ab
Feb 23 18:02:38 XXXXXXX pluto[18180]: | authcert list unlocked by
'verify_x509cert'
Feb 23 18:02:38 XXXXXXX pluto[18180]: | reached self-signed root ca
Feb 23 18:02:38 XXXXXXX pluto[18180]: | Public key validated
Feb 23 18:02:38 XXXXXXX pluto[18180]: "leftright" #1: we require peer to have
ID '<SERVERIP>', but peer declares 'C=XX, ST=XX, L=XX, O=XX, OU=XX,
CN=<server.domain>, E=<mailaddress>'
After I have removed the parameter rightcert=serverCert.pem the connection
works again. I don't know if it is mandatory that the file is missing to
reproduce this behaviour.
Although I am not sure if it is a bug or not I report it to be on the safe
side. At least I have seen many howtos which are using rightcert and leftcert
in one section.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.31.7 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openswan depends on:
ii bind9-host [host] 1:9.6.1.dfsg.P3-1 Version of 'host' bundled with BIN
ii bsdmainutils 8.0.6 collection of more utilities from
ii debconf [debconf-2.0] 1.5.28 Debian configuration management sy
ii debianutils 3.2.2 Miscellaneous utilities specific t
ii iproute 20091226-1 networking and traffic control too
ii ipsec-tools 1:0.7.1-1.6 IPsec tools for Linux
ii libc6 2.10.2-2 GNU C Library: Shared libraries
ii libcurl3 7.19.7-1 Multi-protocol file transfer libra
ii libgmp3c2 2:4.3.2+dfsg-1 Multiprecision arithmetic library
ii libldap-2.4-2 2.4.17-2.1 OpenLDAP libraries
ii libpam0g 1.1.1-1 Pluggable Authentication Modules l
ii openssl 0.9.8k-8 Secure Socket Layer (SSL) binary a
openswan recommends no packages.
Versions of packages openswan suggests:
ii curl 7.19.7-1 Get a file from an HTTP, HTTPS or
pn openswan-modules-source | lin <none> (no description available)
-- debconf information excluded
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
