[Openswan dev]

Mariusz Woloszyn emsi at ipartners.pl
Thu Oct 6 09:22:54 CEST 2005


Thanks for the quick answer.

On Thu, 6 Oct 2005, Paul Wouters wrote:

>>  It's far from beeing perfect so any suggestions are welcome. There are 
>>  also many issues to address like the reauthentication problem and so on so 
>>  don't expect it to be ultimate solution ;)
> As far as I understood XAUTH connections in general have this problem and
> should never rekey.
Yes, but CP with SecureClient performs rekeying in some magic way avoiding 
the need for reauthentication. Unfortunately it's not so easy to find 
what's happening.

>>  Another question is whether it's possible to implement this functionality 
>>  (this way or another) in mainstream OpenSwan?
> It's been added to our queue for reviewing. Did you happen to run the UML
> testsuite over a patched openswan to see what things your patch might have
> broken?
Nope I didn't try it yet.

> One thing that worries me a bit is that the patch seems to touch
Yes. CP seems to be using the same values for different meanings.

> We would also most like would like to have this capability #ifdef'ed, so
> that a Makefile.inc variable determines whether or not to build with
> Hybrid Mode support. That would also limit any potential problems caused
> by this patch.
I agree, having this feature #ifded-ed, especially that it conflicts with 
other features seems to be necessary. I'll try to handle it.

> Oh, does this patch add support for both client and server? Can a uml 
> testcase be written to show an openswan-openswan hybrid mode connection?

Unfortunately the server side is not implemented and thus cannot be 
tested with OpenSwan only.


Mariusz Wołoszyn
Internet Security Specialist, GTS - Internet Partners

More information about the Dev mailing list