[Openswan dev] Fwd: Bug#359183: openswan: Unable to use "ike="
and "leftxauthclient=yes" simultaneously
Michael Richardson
mcr at sandelman.ottawa.on.ca
Mon May 22 16:05:16 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Rene" == Rene Mayrhofer <rmayr at debian.org> writes:
Rene> Here, it appear that IKE negotiation immediately fails because
Rene> the two peers do not agree on IKE settings, just like it
Rene> happens if I don't use the "ike=aes256-md5" line.
Rene> I suspect that "xauthclient=yes" somewhat overrides the "ike="
Rene> settings, making it impossible to use both at the same
Rene> time. Some online documentation report this was a bug in
Rene> Openswan 2.2.* but, well, we're now with 2.4...:-)
Yes, xauthclient=yes certainly does override ike= setting.
This won't be as bad with aggrmode=yes.
It's odd to use certificates with XAUTH, but we did test that.
It looks like we did not test:
XAUTH+certificates+ike=
The reason for this is that "XAUTH" changes the authentication
proposal from "RSA+aes128" to "RSAXauthInit+aes128".
I don't know when a fix will show up.
How important is this?
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
"The Microsoft _Get the Facts CD_ does not work on Linux." - orospakr
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBRHILa4CLcPvd0N1lAQKY5QgAjfactSmQIj0ZzqjOM7U/ptaDo3mEHMI8
Yzj3206t2yoi0kvq6mUJ9Wj3Dv1R/OCw79n33j54DqYrTNmjqA7gLYriYgsBSB8g
HF2m88e2rxMfT56h1LJH9WywHysK8M8UsOIh5cEV1TTAPWvlcTqd/54aGWk76fwo
eO+EDx0qHLcA9y8XRsnzLI5e7twu/ihUt4TohLHj1MrR1M94jPkL0kmpXTJ/Pkrb
N9kXukf0/GUHL0+5wzjt3meoHd85yls3v1Io1Gm3GA3CFR+8BdRrFiRAQQnfkGn6
2O2kbH+51yzGZiPal5OlTjrb+uohSIhUq8LBBhtyZrdPdmOSFzcl4w==
=y0rP
-----END PGP SIGNATURE-----
More information about the Dev
mailing list