[strongSwan] pluto verneint Gleichheit von leftID und rigthID

Andreas Steffen andreas.steffen at strongswan.org
Mon Apr 18 23:49:48 CEST 2011 

Hello Olaf,

The unstructuredAddress RDN was not supported by the right|leftid
parser. I fixed this with the following patch:

http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=a30e025901e59b8bafb3617a27535cd50ec8b7d6

I also published the following untested developers release
containingt the unstructuredAddress fix:

  http://download.strongswan.org/strongswan-4.5.2dr5.tar.bz2

BTW - I'm wondering that you are using unstructuredAddress for
      IP addresses. According to PKCS#9 this RDN was rather intended
      as an alternative to the postalAddress RDN.

Best regards

Andreas

On 04/18/2011 07:56 PM, Olaf Rottler wrote:
> Hallo,
> nachdem ich die rightID völlig identisch in IPSEC.conf übernommen hatte,
> beschwert er sich pluto immer noch über Ungleichheit;
> 
> 
> 03 "msbt" #4: we require peer to have ID 
> 'SN=JMX1429L3BD, unstructuredAddress=1.18.8.124,
> unstructuredName=msbt-gate.uni.int, CN=msbt-gate.uni.int'
> 
> but peer declares   
> 
> 'SN=JMX1429L3BD, unstructuredAddress=1.18.8.124,
> unstructuredName=msbt-gate.uni.int, CN=msbt-gate.uni.int'
> 
> 
> Ich habe das bis in switch_connection verfolgt, Ursache ist scheinbar,
> dass die Verbindungsbeschreibung den Typ _equals_binary und der erkannte
> peer den Typ _equals_dn (ID_DER_ASN1_DN) erhalten hat (wegen des ersten
> "=").
> 
> 2415		if (initiator)
> 2416		{
> 2417			int pathlen;
> 2418	
> 2419	***		if (!peer->equals(peer, c->spd.that.id))
> 2420			{
> 2421				loglog(RC_LOG_SERIOUS,
> 2422						"we require peer to have ID '%Y', but peer declares '%Y'",
> 2423						c->spd.that.id, peer);
> 
> *peer = {get_encoding = 0x5080f0 <get_encoding>, get_type = 0x508110
> <get_type>, equals = 0x5088f0 <equals_dn>, 
>   matches = 0x508850 <matches_dn>, contains_wildcards = 0x5089b0
> <contains_wildcards_dn>, 
>   create_part_enumerator = 0x508940 <create_part_enumerator>, clone =
> 0x508d00 <clone_>, destroy = 0x508420 <destroy>}
> 6: peer = (identification_t *) 0x8767498
> 
> *c->spd.that.id = {get_encoding = 0x5080f0 <get_encoding>, get_type =
> 0x508110 <get_type>, equals = 0x5082e0 <equals_binary>, 
>   matches = 0x508250 <matches_binary>, contains_wildcards = 0x506bf0
> <return_false>, 
>   create_part_enumerator = 0x508940 <create_part_enumerator>, clone =
> 0x508d00 <clone_>, destroy = 0x508420 <destroy>}
> (gdb) s
> 
> Wie es  beim Einlesen der config an welcher stelle warum dazu kommt,
> überblicke ich jetzt auf Anhieb leider noch nicht.
> 
> Gruss
> 
> Olaf 
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list