[Openswan dev] Openswan-2.3.0dr3 to Checkpoint NG AI55 success
Henrik Nordstrom
hno at marasystems.com
Fri Nov 26 09:46:24 CET 2004
On Fri, 26 Nov 2004, Karl Vogel wrote:
> However Checkpoint still violates the DOI 4.6.2.4 rule and
> expects a USER_FQDN without an '@' sign. After patching
> programs/pluto/id.c, I got it to work.
>
> Afterwards I googled for DOI 4.6.2.4 and found an old
> aggressive mode patch for freeswan which had a checkpoint 4.1
> interop define which did the same...
>
> http://marasystems.com/download/freeswan/freeswan-1.97-aggrmode.patch
Indeed. The Checkpoint Interop stuff was in the original aggressive mode
patch we inherited. As it was not directly aggressive mode related or
standardized we did not include it in the patch submitted to Super
FreeS/WAN.
This specific interop thing is included in the key id patch
http://marasystems.com/download/freeswan/key_id_type.patch and consists of
two parts
a) Removal of a trailing @ from FQDN IDs specified, to allow
specification of such "checkpoint" IDs in the configuration.
b) Ignoring the check that a received FQDN must contain a @
The checkpoint workaround should be fairly safe to include, but should
perhaps use a more explicit configuration syntax to also allow for FQDN
names without a domain as this is accepted by OpenSWAN and FreeSWAN today.
The ID_KEY_ID support should also be fine if not there already.
Regards
Henrik
More information about the Dev
mailing list