[Openswan dev] coexistence of RSA connections with and without Xauth

[Andrey Alexandrenko]

On 10/07/2012 12:30 AM, Paul Wouters wrote:
> On Tue, 21 Aug 2012, Andrey Alexandrenko wrote:
>
>> I have prepared a patch witch solves for me following issue with 
>> Xauth in Openswan.  Pluto may refuse to connect with a road warrior 
>> If some misc connections (with and without Xauth) are configured. The 
>> reason is that pluto do not regard Xauth policy in main_inI1_outR2 
>> and may just choose a not suitable connection for proceeding. In my 
>> patch I evaluate XAUTH VID and use this information by connection 
>> finding.
>> The patch was prepared for openswan-2.6.35, but it works with 
>> openswan-2.6.38 as well.
>>
>> Any feedback on the patch is appreciated.
>>
>> Regards, Andrey Alexandrenko
>
> Hi Andrey,
>
> It seems the following line of code might be causing a regression:
>
> +           if ((policy & POLICY_XAUTH) != (c->policy & POLICY_XAUTH)) 
> continue;
>
> By moving the line below the lines:
>
>         if ((c->policy & policy) == policy)
>             break;
>
> it resolves our regression. But we might have broken it for you again.
> Can you explain why you needed this in the first place. Do you perhaps
> have the ipsec.conf with the mix of conns that caused your problem? So
> we can try and reproduce this?
>
> thanks,
>
> Paul
>
>
Hallo Paul,

I discover a much better solution for my xauth problem. Using XAUTH_VID 
for setting of XAUTH policy is not the right way, because some of IKE 
implementations (for example strongSWAN) sends XAUTH_VID even if no 
XAUTH was configured on the connection. An other and I think the right 
way is to use the authentication method information.

Regards, Andrey Alexandrenko

-------------- next part --------------
A non-text attachment was scrubbed...
Name: openswan-2.6.38-xauth_policy.patch
Type: text/x-patch
Size: 2534 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/dev/attachments/20121203/28cd6d7e/attachment.bin>