<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:10pt"><div>I'm trying to follow discussion in the below thread:</div><div><br></div><div style="color: rgb(0, 0, 0); font-size: 13px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; ">https://lists.strongswan.org/pipermail/users/2012-October/008357.html<br></div><div style="color: rgb(0, 0, 0); font-size: 13px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; "><br></div><div style="color: rgb(0, 0, 0); font-size: 13px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; ">I too face similar issue and want to identify the user based on client certificate instead of XAUTH username. I've used the below patch that's a combination of reverting
change# http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=0fbfcf2a (as described in above thread). I also had to do similar change for mempool based IP allocation. The patch below is against 5.1.0. Could anyone provide me some confirmation if I'm on the right track.</div><div style="color: rgb(0, 0, 0); font-size: 13px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; "><br></div><div style="color: rgb(0, 0, 0); font-size: 13px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; ">Thanks,</div><div style="color: rgb(0, 0, 0); font-size: 13px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; ">Piyush</div><div style="color: rgb(0, 0, 0); font-size: 13px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent;
font-style: normal; "><br></div><div style="color: rgb(0, 0, 0); font-size: 13px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; ">----------------</div><div style="color: rgb(0, 0, 0); font-size: 13px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; "><br></div><div style="color: rgb(0, 0, 0); font-size: 13px; font-family: 'times new roman', 'new york', times, serif; background-color: transparent; font-style: normal; "><div style="background-color: transparent; ">--- strongswan-5.1.0/src/libcharon/sa/ike_sa_manager.h.orig<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-18 14:28:32.606439759 -0700</div><div style="background-color: transparent; ">+++ strongswan-5.1.0/src/libcharon/sa/ike_sa_manager.h<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-18 14:28:55.094157048 -0700</div><div
style="background-color: transparent; ">@@ -172,8 +172,6 @@ struct ike_sa_manager_t {</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>/**</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span> * Create an enumerator over ike_sa_id_t*, matching peer identities.</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span> *</div><div style="background-color: transparent; ">-<span class="Apple-tab-span" style="white-space:pre"> </span> * The remote peer is identified by its XAuth or EAP identity, if available.</div><div style="background-color: transparent; ">-<span class="Apple-tab-span" style="white-space:pre"> </span> *</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span> * @param me<span
class="Apple-tab-span" style="white-space:pre"> </span>local peer identity to match</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span> * @param other<span class="Apple-tab-span" style="white-space:pre"> </span>remote peer identity to match</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span> * @param family<span class="Apple-tab-span" style="white-space:pre"> </span>address family to match, 0 for any</div><div style="background-color: transparent; ">--- strongswan-5.1.0/src/libcharon/sa/ike_sa_manager.c.orig<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-18 11:29:11.330233469 -0700</div><div style="background-color: transparent; ">+++ strongswan-5.1.0/src/libcharon/sa/ike_sa_manager.c<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-19 09:36:30.792472820 -0700</div><div
style="background-color: transparent; ">@@ -1553,7 +1553,7 @@ METHOD(ike_sa_manager_t, checkin, void,</div><div style="background-color: transparent; "> </div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>ike_sa_id = ike_sa->get_id(ike_sa);</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>my_id = ike_sa->get_my_id(ike_sa);</div><div style="background-color: transparent; ">-<span class="Apple-tab-span" style="white-space:pre"> </span>other_id = ike_sa->get_other_eap_id(ike_sa);</div><div style="background-color: transparent; ">+<span class="Apple-tab-span" style="white-space:pre"> </span>other_id = ike_sa->get_other_id(ike_sa);</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>other = ike_sa->get_other_host(ike_sa);</div><div
style="background-color: transparent; "> </div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>DBG2(DBG_MGR, "checkin IKE_SA %s[%u]", ike_sa->get_name(ike_sa),</div><div style="background-color: transparent; ">@@ -1782,7 +1782,7 @@ METHOD(ike_sa_manager_t, check_uniquenes</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>return FALSE;</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>}</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>me = ike_sa->get_my_id(ike_sa);</div><div style="background-color: transparent; ">-<span class="Apple-tab-span" style="white-space:pre"> </span>other = ike_sa->get_other_eap_id(ike_sa);</div><div style="background-color: transparent; ">+<span
class="Apple-tab-span" style="white-space:pre"> </span>other = ike_sa->get_other_id(ike_sa);</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>other_host = ike_sa->get_other_host(ike_sa);</div><div style="background-color: transparent; "> </div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>enumerator = create_id_enumerator(this, me, other,</div><div style="background-color: transparent; ">--- strongswan-5.1.0/src/libcharon/sa/ikev1/tasks/mode_config.c.orig<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-18 11:31:31.586565089 -0700</div><div style="background-color: transparent; ">+++ strongswan-5.1.0/src/libcharon/sa/ikev1/tasks/mode_config.c<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-18 11:30:52.487516386 -0700</div><div style="background-color: transparent; ">@@
-322,7 +322,7 @@ METHOD(task_t, build_r, status_t,</div><div style="background-color: transparent; "> </div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REPLY);</div><div style="background-color: transparent; "> </div><div style="background-color: transparent; ">-<span class="Apple-tab-span" style="white-space:pre"> </span>id = this->ike_sa->get_other_eap_id(this->ike_sa);</div><div style="background-color: transparent; ">+<span class="Apple-tab-span" style="white-space:pre"> </span>id = this->ike_sa->get_other_id(this->ike_sa);</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>config = this->ike_sa->get_peer_cfg(this->ike_sa);</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre">
</span>vips = linked_list_create();</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>pools = linked_list_create_from_enumerator(</div><div style="background-color: transparent; ">--- strongswan-5.1.0/src/libcharon/sa/ikev2/tasks/ike_config.c.orig<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-18 14:24:55.321171406 -0700</div><div style="background-color: transparent; ">+++ strongswan-5.1.0/src/libcharon/sa/ikev2/tasks/ike_config.c<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-18 14:25:11.272970865 -0700</div><div style="background-color: transparent; ">@@ -339,7 +339,7 @@ METHOD(task_t, build_r, status_t,</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>linked_list_t *vips, *pools;</div><div style="background-color: transparent; "> <span class="Apple-tab-span"
style="white-space:pre"> </span>host_t *requested;</div><div style="background-color: transparent; "> </div><div style="background-color: transparent; ">-<span class="Apple-tab-span" style="white-space:pre"> </span>id = this->ike_sa->get_other_eap_id(this->ike_sa);</div><div style="background-color: transparent; ">+<span class="Apple-tab-span" style="white-space:pre"> </span>id = this->ike_sa->get_other_id(this->ike_sa);</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>config = this->ike_sa->get_peer_cfg(this->ike_sa);</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>vips = linked_list_create();</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>pools = linked_list_create_from_enumerator(</div><div
style="background-color: transparent; ">--- strongswan-5.1.0/src/libcharon/sa/ike_sa.c.orig<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-18 11:25:41.996247839 -0700</div><div style="background-color: transparent; ">+++ strongswan-5.1.0/src/libcharon/sa/ike_sa.c<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-18 11:26:13.263480953 -0700</div><div style="background-color: transparent; ">@@ -2163,7 +2163,7 @@ METHOD(ike_sa_t, destroy, void,</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>linked_list_t *pools;</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>identification_t *id;</div><div style="background-color: transparent; "> </div><div style="background-color: transparent; ">-<span class="Apple-tab-span" style="white-space:pre"> </span>id =
get_other_eap_id(this);</div><div style="background-color: transparent; ">+<span class="Apple-tab-span" style="white-space:pre"> </span>id = get_other_id(this);</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>pools = linked_list_create_from_enumerator(</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>this->peer_cfg->create_pool_enumerator(this->peer_cfg));</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>hydra->attributes->release_address(hydra->attributes, pools, vip, id);</div><div style="background-color: transparent; ">--- strongswan-5.1.0/src/libcharon/processing/jobs/adopt_children_job.c.orig<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-18 11:26:52.534613495 -0700</div><div
style="background-color: transparent; ">+++ strongswan-5.1.0/src/libcharon/processing/jobs/adopt_children_job.c<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-19 10:41:23.070404979 -0700</div><div style="background-color: transparent; ">@@ -77,7 +77,7 @@ METHOD(job_t, execute, job_requeue_t,</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>/* find old SA to adopt children from */</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>children = linked_list_create();</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>enumerator = charon->ike_sa_manager->create_id_enumerator(</div><div style="background-color: transparent; ">-<span class="Apple-tab-span" style="white-space:pre"> </span>charon->ike_sa_manager, my_id,
xauth,</div><div style="background-color: transparent; ">+<span class="Apple-tab-span" style="white-space:pre"> </span>charon->ike_sa_manager, my_id, other_id,</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>other->get_family(other));</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>while (enumerator->enumerate(enumerator, &id))</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>{</div><div style="background-color: transparent; ">@@ -92,7 +92,7 @@ METHOD(job_t, execute, job_requeue_t,</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span> ike_sa->get_state(ike_sa) == IKE_PASSIVE) &&</div><div style="background-color: transparent; "> <span
class="Apple-tab-span" style="white-space:pre"> </span>me->equals(me, ike_sa->get_my_host(ike_sa)) &&</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>other->equals(other, ike_sa->get_other_host(ike_sa)) &&</div><div style="background-color: transparent; ">-<span class="Apple-tab-span" style="white-space:pre"> </span>other_id->equals(other_id, ike_sa->get_other_id(ike_sa)) &&</div><div style="background-color: transparent; ">+<span class="Apple-tab-span" style="white-space:pre"> </span>xauth->equals(xauth, ike_sa->get_other_eap_id(ike_sa)) &&</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>cfg->equals(cfg, ike_sa->get_peer_cfg(ike_sa)))</div><div style="background-color: transparent; "> <span class="Apple-tab-span"
style="white-space:pre"> </span>{</div><div style="background-color: transparent; "> <span class="Apple-tab-span" style="white-space:pre"> </span>childenum = ike_sa->create_child_sa_enumerator(ike_sa);</div><div><br></div></div></div></body></html>