[Openswan Users] DSL modems in bridge mode and UDP fragmentat ion

Tim Bouwer TBouwer at pfn.com
Mon Jan 5 19:21:19 CET 2004 

OK, thanks

Today I found a business class Verizon DSL connection on the East Coast
where I can test several modems and determine (with no routers and ACL's)
whether the Westell 2100 and friends are at fault.

The option to not send certs is very attractive but would involve upgrading
the machines in Washington state (these boxes are still using superfreeswan
1.99) so this looks like something worth persuing a bit further down the
line.  An option to not send CR's configurable per connection is also
appealing.  I can find out if someone over here can look into adding a flag
in the code to stop sending CR's if the cert is held locally and is still
valid.

Thanks for the advice.  I'll post findings after testing some modems on Wed.


regards
Tim


-----Original Message-----
From: Michael Richardson [mailto:mcr at sandelman.ottawa.on.ca]
Sent: Monday, January 05, 2004 5:54 PM
To: Tim Bouwer
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] DSL modems in bridge mode and UDP
fragmentat ion 


-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Tim" == Tim Bouwer <TBouwer at pfn.com> writes:
    Tim> How do you stop openswan from sending the cert or requesting the
    Tim> cert?

  X.509 is not always well documented, alas.
  I'm sorry, I lie. There is no user-accessible option to prevent sending
the
certificate. I'm actually surprised here. I'm too close to the inside of the

code.

  It should really be a per-conn initiator option. 

  I can add it to OSW 2.x.x if you'd like to test with that.

  Or, you can hack code in ipsec_doi.c, main_inR2_outI3.

    Tim> Is there some magic that I am missing in ipsec.conf?  We do not use
    Tim> ldap or dns provided certs.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls
[
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net
architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device
driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security
guy"); [

  

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBP/nq8IqHRg3pndX9AQE8OwQA2y3K9+pAy1jaqloYqbeEBeQjjzyuVA6V
TXD0+7sbhmEsscJfayoEO/y/ArxzxoBluJktFtJZbhtH5SKyE1Jq74Btsjld4T6o
BnyJDyeN+bMSdomZNReyebncFbXGyJbQgvqBkjFilb5HmaB4PhZrNyCuKh3JtcHJ
x5viQpfWuFM=
=SEiB
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users at lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list