[Openswan dev] Fwd: Bug#359183: openswan: Unable to use "ike="
and "leftxauthclient=yes" simultaneously
mcr at sandelman.ottawa.on.ca
Mon May 22 16:05:16 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Rene" == Rene Mayrhofer <rmayr at debian.org> writes:
Rene> Here, it appear that IKE negotiation immediately fails because
Rene> the two peers do not agree on IKE settings, just like it
Rene> happens if I don't use the "ike=aes256-md5" line.
Rene> I suspect that "xauthclient=yes" somewhat overrides the "ike="
Rene> settings, making it impossible to use both at the same
Rene> time. Some online documentation report this was a bug in
Rene> Openswan 2.2.* but, well, we're now with 2.4...:-)
Yes, xauthclient=yes certainly does override ike= setting.
This won't be as bad with aggrmode=yes.
It's odd to use certificates with XAUTH, but we did test that.
It looks like we did not test:
The reason for this is that "XAUTH" changes the authentication
proposal from "RSA+aes128" to "RSAXauthInit+aes128".
I don't know when a fix will show up.
How important is this?
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
"The Microsoft _Get the Facts CD_ does not work on Linux." - orospakr
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v22.214.171.124 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the Dev