[Openswan dev] Openswan-2.3.0dr3 to Checkpoint NG AI55 success
Karl Vogel
karl.vogel at telenet.be
Fri Nov 26 00:27:56 CET 2004
Since aggressive mode is now supported by openswan, I took
it for a spin and was able to connect to a Checkpoint NG
Application Intelligence V55 (Hot Fix 09) -- what a name! --
with a preshared secret.
However Checkpoint still violates the DOI 4.6.2.4 rule and
expects a USER_FQDN without an '@' sign. After patching
programs/pluto/id.c, I got it to work.
Afterwards I googled for DOI 4.6.2.4 and found an old
aggressive mode patch for freeswan which had a checkpoint 4.1
interop define which did the same...
http://marasystems.com/download/freeswan/freeswan-1.97-aggrmode.patch
The quick 'n dirty patch I did to my openswan was:
--- programs/pluto/id.c.orig 2004-11-25 23:36:00.129421832 +0100
+++ programs/pluto/id.c 2004-11-25 23:15:57.527245152 +0100
@@ -270,7 +270,7 @@ atoid(char *src, struct id *id, bool myi
*/
id->kind = ID_USER_FQDN;
id->name.ptr = src;
- id->name.len = strlen(src);
+ id->name.len = strlen(src)-1;
}
}
return ugh;
Maybe a proper solution would be to accept '@' as last character,
but emit a big fat warning about a broken implementation?!
Or would an extra ipsec.conf connection option to allow this
brokenness be better?
Or wont any of these interop patches be accepted?
Regards,
Karl
More information about the Dev
mailing list