[strongSwan] Help with UNITY_SAVE_PASSWD attribute

Chris Zelenak netshade at gmail.com
Mon Nov 28 16:27:13 CET 2011 

Tobias,

Thanks for the reply.

Regarding the attr plugin only supporting IP addresses, phew - I had looked
a few times at that code and compared it w/ the docs and thought I was just
missing something that would allow arbitrary values through.  Good to know,
I'll try the attr_sql plugin in the future.

Insofar as the UNITY_SAVE_PASSWD attribute not being respected by the
iPhone, I'll have to look further into it - my basis for assuming it /is/
supported by the iPhone is here:

http://www.i-1.nl/blog/?p=163

wherein the author claims that configuring the group policy on a Cisco VPN
to pass the attribute:

password-storage enable

to the client in order to allow local password storage.  I had assumed that
the UNITY_SAVE_PASSWD attribute roughly correlated to the behavior toggled
by the above password-storage attribute, which I arrived at due to the
bottom of this thread:

https://discussions.apple.com/thread/2390965?start=0&tstart=0

I realize this list is probably not the best place to ask about the
idiosyncrasies of Cisco VPNs :) but if you had an idea whether I was on the
right track with this, it would be quite helpful.  In the meantime I'll be
looking into whether Apple used raccoon, and if they did, whether or not
they contributed their changes back.  Fingers crossed. :)

Chris Zelenak

On Mon, Nov 28, 2011 at 8:19 AM, Tobias Brunner <tobias at strongswan.org>wrote:

> Hi Chris,
>
> > If anyone could help me out in figuring out why:
> >
> > A) the attr plugin doesn't seem to be working
>
> I looked into that and it seems the attr plugin only supports IP
> addresses and subnets as values (i.e. no strings or ints).  The attr-sql
> plugin [1] supports more types, so that might be worth a try to avoid
> having to change the code.
>
> > B) if I'm sending down the value incorrectly in my hack inside modecfg.c
>
> No, the changes to pluto look fine.  Whether the value is correct I
> don't know, but racoon at least uses the same.
>
> Are you sure the iPhone actually supports this attribute?  I'm not sure
> but I suppose Apple uses racoon in iOS, which actually ignores this
> attribute when used as client.  At least by default, could be that they
> somehow added support for it, though.
>
> Regards,
> Tobias
>
> [1] http://wiki.strongswan.org/projects/strongswan/wiki/AttrSQL
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111128/32370d25/attachment.html>

More information about the Users mailing list