[Openswan dev] coexistence of RSA connections with and without Xauth

Andrey Alexandrenko aalexandrenko at telco-tech.de
Mon Oct 8 04:04:30 EDT 2012

On 07.10.2012 00:30, Paul Wouters wrote:
> On Tue, 21 Aug 2012, Andrey Alexandrenko wrote:
>> I have prepared a patch witch solves for me following issue with 
>> Xauth in Openswan. Pluto may refuse to connect with a road warrior If 
>> some misc connections (with and without Xauth) are configured. The 
>> reason is that pluto do not regard Xauth policy in main_inI1_outR2 
>> and may just choose a not suitable connection for proceeding. In my 
>> patch I evaluate XAUTH VID and use this information by connection 
>> finding.
>> The patch was prepared for openswan-2.6.35, but it works with 
>> openswan-2.6.38 as well.
>> Any feedback on the patch is appreciated.
>> Regards, Andrey Alexandrenko
> Hi Andrey,
> It seems the following line of code might be causing a regression:
> + if ((policy & POLICY_XAUTH) != (c->policy & POLICY_XAUTH)) continue;
> By moving the line below the lines:
> if ((c->policy & policy) == policy)
> break;
> it resolves our regression. But we might have broken it for you again.
> Can you explain why you needed this in the first place. Do you perhaps
> have the ipsec.conf with the mix of conns that caused your problem? So
> we can try and reproduce this?
> thanks,
> Paul

Hallo Paul,

both (right and left) sites have to be XAUTH-Client/Server or have no 
XAUTH-setting at all, else connection will fail. This is the reason, why 
I've put the line. "(c->policy & policy) == policy" -- does not always 
cover the case. It does not work if the local configuration has XAUTH 
policy but the remote doesn’t.

I don't use ipsec.conf on my system, because I create my configuration 
from database data and pass it with whack trough.
It is very easy to reproduce my case. You need to configure two similar 
RSA connections (except XAUTH setting) to "any" remote site. One of them 
(dependence on the order they configured in) won't be established 
without the patch.

Regards, Andrey

More information about the Dev mailing list