[Openswan Users] ANNOUNCE: x509-1.5.1 patch for freeswan-2.04 released

Andreas Steffen andreas.steffen at strongsec.net
Sun Feb 8 11:31:13 CET 2004

Version 1.5.1 of the X.509 patch for FreeS/WAN 2.04 fully integrates
Mathieu Lafon's support of notification messages. I made some slight
changes which allows Pluto to send and receive informational messages
in *encrypted* form at the earliest possible moment, i.e. shortly
after the DH secret of IKE Main Mode has been established. This is
in accordance with RFC 2408 ISAKMP:

    If the Informational Exchange occurs prior to the exchange of keying
    meterial during an ISAKMP Phase 1 negotiation, there will be no
    protection provided for the Informational Exchange.  Once keying
    material has been exchanged or an ISAKMP SA has been established, the
    Informational Exchange *MUST* be transmitted under the protection
    provided by the keying material or the ISAKMP SA.

This new approach gets rid of the two warnings typical of the original
Notify patch that

  - either an encrypted informational message was not accepted because
    the ISAKMP SA hasn't been established yet on the receiving side

  - or that the informational message should have been encrypted because
    the receiving side has already established the ISAKMP SA but the peer
    hasn't yet.

The new release of the X.509 patch can be downloaded from


Kind regards


Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

More information about the Users mailing list