[Openswan dev] XAUTH: Re-keying without re-authenticating?

Chris Poon dev-null at telus.net
Thu Feb 24 17:28:49 CET 2005

I don't know if I would really call this a problem but with SecurID being
the authentication method, I don't have a way to get around this. I've a
patched openswan that supports CheckPoint Hybrid mode and it works until
the re-key period is up.

Let's say the re-keying period is 1 hour, with XAUTH turned on,
re-authentication will need to happen because XAUTH happens between Phase1
and Phase2. However, reading the draft on XAUTH, it has a suggestion about
not needing to re-authenticate by sending a SET(STATUS=OK) MODECFG message.

Currently, after the first authentication, there is no socket left to
communicate with the end-user to prompt for username/password. When the re-key
occurs, XAUTH failed because it has no socket to prompt again. Now getting
rid of the re-authentication is only the first step - CheckPoint will force
a re-authentication after a pre-determined period and my assumption is that
it will do this but not doing an ACK(STATUS).

The draft suggested checking the ID to make sure we're talking to the same
peer before forgoing re-authentication, but looking at the code, I can't see
how I can do this, nor do I see a way to re-authenticate when the remote end
(CheckPoint) requires an re-authentication.

Any help would be greatly appreciated and please CC me as I don't have a
subscription to this list.



More information about the Dev mailing list