[Openswan dev] Openswan-2.3.0dr3 to Checkpoint NG AI55 success

Henrik Nordstrom hno at marasystems.com
Fri Nov 26 09:46:24 CET 2004

On Fri, 26 Nov 2004, Karl Vogel wrote:

> However Checkpoint still violates the DOI rule and
> expects a USER_FQDN without an '@' sign. After patching
> programs/pluto/id.c, I got it to work.
> Afterwards I googled for DOI and found an old
> aggressive mode patch for freeswan which had a checkpoint 4.1
> interop define which did the same...
> http://marasystems.com/download/freeswan/freeswan-1.97-aggrmode.patch

Indeed. The Checkpoint Interop stuff was in the original aggressive mode 
patch we inherited. As it was not directly aggressive mode related or 
standardized we did not include it in the patch submitted to Super 

This specific interop thing is included in the key id patch
http://marasystems.com/download/freeswan/key_id_type.patch and consists of 
two parts

   a) Removal of a trailing @ from FQDN IDs specified, to allow 
specification of such "checkpoint" IDs in the configuration.

   b) Ignoring the check that a received FQDN must contain a @

The checkpoint workaround should be fairly safe to include, but should 
perhaps use a more explicit configuration syntax to also allow for FQDN 
names without a domain as this is accepted by OpenSWAN and FreeSWAN today.

The ID_KEY_ID support should also be fine if not there already.


More information about the Dev mailing list