[Openswan dev] Road warrior in aggressive mode can not use %any entry in ipsec.secrets if rightid (other than IP) is specified
hiren joshi
joshihirenn at gmail.com
Wed Dec 10 08:46:59 EST 2008
Hello,
If rightid is other than IP address type, Openswan do not allow
Aggressive mode connections to use %any entry in ipsec.secrets.
----------------------------
openswan-2.4.9/programs/pluto/keys.c::422
#if defined(AGGRESSIVE)
if (his_id_was_instantiated(c) && !(c->policy & POLICY_AGGRESSIVE))
{
DBG(DBG_CONTROL,
DBG_log("instantiating him to 0.0.0.0"));
/* roadwarrior: replace him with 0.0.0.0 */
rw_id.kind = addrtypeof(&c->spd.that.host_addr) == AF_INET ?
ID_IPV4_ADDR : ID_IPV6_ADDR;
happy(anyaddr(addrtypeof(&c->spd.that.host_addr), &rw_id.ip_addr));
his_id = &rw_id;
idtoa(his_id, idhim2, IDTOA_BUF);
}
#endif
#ifdef NAT_TRAVERSAL
else if ((nat_traversal_enabled)
&& (c->policy & POLICY_PSK)
&& (kind == PPK_PSK)
&& (((c->kind == CK_TEMPLATE)
&& (c->spd.that.id.kind == ID_NONE))
|| ((c->kind == CK_INSTANCE)
&& (id_is_ipaddr(&c->spd.that.id)))))
{
DBG(DBG_CONTROL,
DBG_log("replace him to 0.0.0.0"));
---------------------------
Just curious about the motivation for this.
My guess is as in aggressive mode ID is sent in plain, it is to
prevent an existing road warrior user to use other user's ID.
Thanks for your time.
Regards,
-hiren
More information about the Dev
mailing list