[Openswan dev] Openswan-2.3.0dr3 to Checkpoint NG AI55 success

Karl Vogel karl.vogel at telenet.be
Sat Nov 27 15:30:13 CET 2004


On Fri, 2004-11-26 at 12:15 -0500, Michael Richardson wrote:

> >>>>> "Karl" == Karl Vogel <karl.vogel at telenet.be> writes:
>     Karl> Maybe a proper solution would be to accept '@' as last
>     Karl> character, but emit a big fat warning about a broken
>     Karl> implementation?! Or would an extra ipsec.conf connection
>     Karl> option to allow this brokenness be better?
> 
>   So, if you say user@\0, then you propose that we remove the @
> character in that situation?

That or add an extra configuration field to the config. (ie. instead of
the obfuscated way to select user_fqdn/der_asn1_dn/..., just have an
explicit config line that specifies the type), something like:

	leftidkind=user_fqdn
	leftid=ACCOUNTNAME

and then just accept a user_fqdn without '@'

>   Each such minor "edit" creates complexity.
> 
>   To get a patch easily accepted, start by writing a test case for it.
> (So, that means that you have to have a way to expect user@ on the
> responder as well!)
> 
>   Make your fix so that things work.
>   Then, run all of the other pluto test cases. Did you break anything?

I'm not at all familiar with the openswan sources, so unfortunately this
would take me quite some time to implement.. and to make matters worse,
I just tried a connection with racoon and that works without problems
out-of-the-box as it's config allows you to specify the id type, like
this:

     my_identifier user_fqdn "ACCOUNTNAME";





More information about the Dev mailing list