[Openswan dev] coexistence of RSA connections with and without Xauth
aalexandrenko at telco-tech.de
Mon Dec 3 09:26:15 EST 2012
On 10/07/2012 12:30 AM, Paul Wouters wrote:
> On Tue, 21 Aug 2012, Andrey Alexandrenko wrote:
>> I have prepared a patch witch solves for me following issue with
>> Xauth in Openswan. Pluto may refuse to connect with a road warrior
>> If some misc connections (with and without Xauth) are configured. The
>> reason is that pluto do not regard Xauth policy in main_inI1_outR2
>> and may just choose a not suitable connection for proceeding. In my
>> patch I evaluate XAUTH VID and use this information by connection
>> The patch was prepared for openswan-2.6.35, but it works with
>> openswan-2.6.38 as well.
>> Any feedback on the patch is appreciated.
>> Regards, Andrey Alexandrenko
> Hi Andrey,
> It seems the following line of code might be causing a regression:
> + if ((policy & POLICY_XAUTH) != (c->policy & POLICY_XAUTH))
> By moving the line below the lines:
> if ((c->policy & policy) == policy)
> it resolves our regression. But we might have broken it for you again.
> Can you explain why you needed this in the first place. Do you perhaps
> have the ipsec.conf with the mix of conns that caused your problem? So
> we can try and reproduce this?
I discover a much better solution for my xauth problem. Using XAUTH_VID
for setting of XAUTH policy is not the right way, because some of IKE
implementations (for example strongSWAN) sends XAUTH_VID even if no
XAUTH was configured on the connection. An other and I think the right
way is to use the authentication method information.
Regards, Andrey Alexandrenko
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2534 bytes
Desc: not available
More information about the Dev