[Openswan dev] Road warrior in aggressive mode can not use %any entry in ipsec.secrets if rightid (other than IP) is specified

hiren joshi joshihirenn at gmail.com
Wed Dec 10 08:46:59 EST 2008


If rightid is other than IP address type, Openswan do not allow
Aggressive mode connections to use %any entry in ipsec.secrets.


#if defined(AGGRESSIVE)
   if (his_id_was_instantiated(c) && !(c->policy & POLICY_AGGRESSIVE))
           DBG_log("instantiating him to"));

       /* roadwarrior: replace him with */
       rw_id.kind = addrtypeof(&c->spd.that.host_addr) == AF_INET ?
           ID_IPV4_ADDR : ID_IPV6_ADDR;
       happy(anyaddr(addrtypeof(&c->spd.that.host_addr), &rw_id.ip_addr));
       his_id = &rw_id;
       idtoa(his_id, idhim2, IDTOA_BUF);
   else if ((nat_traversal_enabled)
            && (c->policy & POLICY_PSK)
            && (kind == PPK_PSK)
            && (((c->kind == CK_TEMPLATE)
                 && (c->spd.that.id.kind == ID_NONE))
                || ((c->kind == CK_INSTANCE)
                    && (id_is_ipaddr(&c->spd.that.id)))))
           DBG_log("replace him to"));


Just curious about the motivation for this.
My guess is as in aggressive mode ID is sent in plain, it is to
prevent an existing road warrior user to use other user's ID.

Thanks for your time.


More information about the Dev mailing list