emsi at ipartners.pl
Thu Oct 6 09:22:54 CEST 2005
Thanks for the quick answer.
On Thu, 6 Oct 2005, Paul Wouters wrote:
>> It's far from beeing perfect so any suggestions are welcome. There are
>> also many issues to address like the reauthentication problem and so on so
>> don't expect it to be ultimate solution ;)
> As far as I understood XAUTH connections in general have this problem and
> should never rekey.
Yes, but CP with SecureClient performs rekeying in some magic way avoiding
the need for reauthentication. Unfortunately it's not so easy to find
>> Another question is whether it's possible to implement this functionality
>> (this way or another) in mainstream OpenSwan?
> It's been added to our queue for reviewing. Did you happen to run the UML
> testsuite over a patched openswan to see what things your patch might have
Nope I didn't try it yet.
> One thing that worries me a bit is that the patch seems to touch
Yes. CP seems to be using the same values for different meanings.
> We would also most like would like to have this capability #ifdef'ed, so
> that a Makefile.inc variable determines whether or not to build with
> Hybrid Mode support. That would also limit any potential problems caused
> by this patch.
I agree, having this feature #ifded-ed, especially that it conflicts with
other features seems to be necessary. I'll try to handle it.
> Oh, does this patch add support for both client and server? Can a uml
> testcase be written to show an openswan-openswan hybrid mode connection?
Unfortunately the server side is not implemented and thus cannot be
tested with OpenSwan only.
Internet Security Specialist, GTS - Internet Partners
More information about the Dev