[Openswan dev] Openswan-2.3.0dr3 to Checkpoint NG AI55 success
hno at marasystems.com
Fri Nov 26 09:46:24 CET 2004
On Fri, 26 Nov 2004, Karl Vogel wrote:
> However Checkpoint still violates the DOI 184.108.40.206 rule and
> expects a USER_FQDN without an '@' sign. After patching
> programs/pluto/id.c, I got it to work.
> Afterwards I googled for DOI 220.127.116.11 and found an old
> aggressive mode patch for freeswan which had a checkpoint 4.1
> interop define which did the same...
Indeed. The Checkpoint Interop stuff was in the original aggressive mode
patch we inherited. As it was not directly aggressive mode related or
standardized we did not include it in the patch submitted to Super
This specific interop thing is included in the key id patch
http://marasystems.com/download/freeswan/key_id_type.patch and consists of
a) Removal of a trailing @ from FQDN IDs specified, to allow
specification of such "checkpoint" IDs in the configuration.
b) Ignoring the check that a received FQDN must contain a @
The checkpoint workaround should be fairly safe to include, but should
perhaps use a more explicit configuration syntax to also allow for FQDN
names without a domain as this is accepted by OpenSWAN and FreeSWAN today.
The ID_KEY_ID support should also be fine if not there already.
More information about the Dev