[Openswan dev] Fwd: Bug#359183: openswan: Unable to use "ike=" and "leftxauthclient=yes" simultaneously

Michael Richardson mcr at sandelman.ottawa.on.ca
Mon May 22 16:05:16 CEST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Rene" == Rene Mayrhofer <rmayr at debian.org> writes:
    Rene> Here, it appear that IKE negotiation immediately fails because
    Rene> the two peers do not agree on IKE settings, just like it
    Rene> happens if I don't use the "ike=aes256-md5" line.

    Rene> I suspect that "xauthclient=yes" somewhat overrides the "ike="
    Rene> settings, making it impossible to use both at the same
    Rene> time. Some online documentation report this was a bug in
    Rene> Openswan 2.2.* but, well, we're now with 2.4...:-)

  Yes, xauthclient=yes certainly does override ike= setting.
  This won't be as bad with aggrmode=yes.

  It's odd to use certificates with XAUTH, but we did test that.
  It looks like we did not test:
     XAUTH+certificates+ike=

  The reason for this is that "XAUTH" changes the authentication
proposal from "RSA+aes128" to "RSAXauthInit+aes128".

  I don't know when a fix will show up.
  How important is this?

- -- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

    "The Microsoft _Get the Facts CD_ does not work on Linux." - orospakr

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRHILa4CLcPvd0N1lAQKY5QgAjfactSmQIj0ZzqjOM7U/ptaDo3mEHMI8
Yzj3206t2yoi0kvq6mUJ9Wj3Dv1R/OCw79n33j54DqYrTNmjqA7gLYriYgsBSB8g
HF2m88e2rxMfT56h1LJH9WywHysK8M8UsOIh5cEV1TTAPWvlcTqd/54aGWk76fwo
eO+EDx0qHLcA9y8XRsnzLI5e7twu/ihUt4TohLHj1MrR1M94jPkL0kmpXTJ/Pkrb
N9kXukf0/GUHL0+5wzjt3meoHd85yls3v1Io1Gm3GA3CFR+8BdRrFiRAQQnfkGn6
2O2kbH+51yzGZiPal5OlTjrb+uohSIhUq8LBBhtyZrdPdmOSFzcl4w==
=y0rP
-----END PGP SIGNATURE-----


More information about the Dev mailing list