[Openswan dev]

[Mariusz Woloszyn]

Hi!

Thanks for the quick answer.

On Thu, 6 Oct 2005, Paul Wouters wrote:

>>  It's far from beeing perfect so any suggestions are welcome. There are 
>>  also many issues to address like the reauthentication problem and so on so 
>>  don't expect it to be ultimate solution ;)
>
> As far as I understood XAUTH connections in general have this problem and
> should never rekey.
>
Yes, but CP with SecureClient performs rekeying in some magic way avoiding 
the need for reauthentication. Unfortunately it's not so easy to find 
what's happening.

>>  Another question is whether it's possible to implement this functionality 
>>  (this way or another) in mainstream OpenSwan?
>
> It's been added to our queue for reviewing. Did you happen to run the UML
> testsuite over a patched openswan to see what things your patch might have
> broken?
>
Nope I didn't try it yet.

> One thing that worries me a bit is that the patch seems to touch
> INTERNAL_IP4_SUBNET.
>
Yes. CP seems to be using the same values for different meanings.

> We would also most like would like to have this capability #ifdef'ed, so
> that a Makefile.inc variable determines whether or not to build with
> Hybrid Mode support. That would also limit any potential problems caused
> by this patch.
>
I agree, having this feature #ifded-ed, especially that it conflicts with 
other features seems to be necessary. I'll try to handle it.

> Oh, does this patch add support for both client and server? Can a uml 
> testcase be written to show an openswan-openswan hybrid mode connection?

Unfortunately the server side is not implemented and thus cannot be 
tested with OpenSwan only.

Rgrds,

-- 
Mariusz Wołoszyn
Internet Security Specialist, GTS - Internet Partners