[Openswan dev] Openswan-2.3.0dr3 to Checkpoint NG AI55 success

Karl Vogel karl.vogel at telenet.be
Fri Nov 26 00:27:56 CET 2004

Since aggressive mode is now supported by openswan, I took
it for a spin and was able to connect to a Checkpoint NG
Application Intelligence V55 (Hot Fix 09) -- what a name! --
with a preshared secret.

However Checkpoint still violates the DOI rule and
expects a USER_FQDN without an '@' sign. After patching
programs/pluto/id.c, I got it to work.

Afterwards I googled for DOI and found an old 
aggressive mode patch for freeswan which had a checkpoint 4.1
interop define which did the same... 


The quick 'n dirty patch I did to my openswan was:

--- programs/pluto/id.c.orig    2004-11-25 23:36:00.129421832 +0100
+++ programs/pluto/id.c 2004-11-25 23:15:57.527245152 +0100
@@ -270,7 +270,7 @@ atoid(char *src, struct id *id, bool myi
            id->kind = ID_USER_FQDN;
            id->name.ptr = src;
-           id->name.len = strlen(src);
+           id->name.len = strlen(src)-1;
     return ugh;

Maybe a proper solution would be to accept '@' as last character,
but emit a big fat warning about a broken implementation?! 
Or would an extra ipsec.conf connection option to allow this
brokenness be better?

Or wont any of these interop patches be accepted?


More information about the Dev mailing list