<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:10pt"><div><div><div>Apologies but reposting to the correct mailing list.</div><div><br></div><div>I'm trying to follow discussion in the below thread:</div><div><br></div><div>https://lists.strongswan.org/pipermail/users/2012-October/008357.html</div><div><br></div><div>I too face similar issue and want to identify the user based on client certificate instead of XAUTH username. I've used the below patch that's a combination of reverting change# http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=0fbfcf2a (as described in above thread). I also had to do similar change for mempool based IP allocation. The patch below is against 5.1.0. Could anyone provide me some confirmation if I'm on the right
track.</div><div><br></div><div>Thanks,</div><div>Piyush</div><div><br></div><div>----------------</div><div><br></div><div>--- strongswan-5.1.0/src/libcharon/sa/ike_sa_manager.h.orig<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-18 14:28:32.606439759 -0700</div><div>+++ strongswan-5.1.0/src/libcharon/sa/ike_sa_manager.h<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-18 14:28:55.094157048 -0700</div><div>@@ -172,8 +172,6 @@ struct ike_sa_manager_t {</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>/**</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span> * Create an enumerator over ike_sa_id_t*, matching peer identities.</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span> *</div><div>-<span class="Apple-tab-span" style="white-space:pre"> </span> * The remote peer is identified by its XAuth or EAP identity, if
available.</div><div>-<span class="Apple-tab-span" style="white-space:pre"> </span> *</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span> * @param me<span class="Apple-tab-span" style="white-space:pre"> </span>local peer identity to match</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span> * @param other<span class="Apple-tab-span" style="white-space:pre"> </span>remote peer identity to match</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span> * @param family<span class="Apple-tab-span" style="white-space:pre"> </span>address family to match, 0 for any</div><div>--- strongswan-5.1.0/src/libcharon/sa/ike_sa_manager.c.orig<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-18 11:29:11.330233469 -0700</div><div>+++ strongswan-5.1.0/src/libcharon/sa/ike_sa_manager.c<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-19 09:36:30.792472820
-0700</div><div>@@ -1553,7 +1553,7 @@ METHOD(ike_sa_manager_t, checkin, void,</div><div> </div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>ike_sa_id = ike_sa->get_id(ike_sa);</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>my_id = ike_sa->get_my_id(ike_sa);</div><div>-<span class="Apple-tab-span" style="white-space:pre"> </span>other_id = ike_sa->get_other_eap_id(ike_sa);</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>other_id = ike_sa->get_other_id(ike_sa);</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>other = ike_sa->get_other_host(ike_sa);</div><div> </div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>DBG2(DBG_MGR, "checkin IKE_SA %s[%u]", ike_sa->get_name(ike_sa),</div><div>@@ -1782,7 +1782,7 @@ METHOD(ike_sa_manager_t, check_uniquenes</div><div> <span class="Apple-tab-span"
style="white-space:pre"> </span>return FALSE;</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>}</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>me = ike_sa->get_my_id(ike_sa);</div><div>-<span class="Apple-tab-span" style="white-space:pre"> </span>other = ike_sa->get_other_eap_id(ike_sa);</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>other = ike_sa->get_other_id(ike_sa);</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>other_host = ike_sa->get_other_host(ike_sa);</div><div> </div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>enumerator = create_id_enumerator(this, me, other,</div><div>--- strongswan-5.1.0/src/libcharon/sa/ikev1/tasks/mode_config.c.orig<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-18 11:31:31.586565089 -0700</div><div>+++
strongswan-5.1.0/src/libcharon/sa/ikev1/tasks/mode_config.c<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-18 11:30:52.487516386 -0700</div><div>@@ -322,7 +322,7 @@ METHOD(task_t, build_r, status_t,</div><div> </div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>cp = cp_payload_create_type(CONFIGURATION_V1, CFG_REPLY);</div><div> </div><div>-<span class="Apple-tab-span" style="white-space:pre"> </span>id = this->ike_sa->get_other_eap_id(this->ike_sa);</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>id = this->ike_sa->get_other_id(this->ike_sa);</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>config = this->ike_sa->get_peer_cfg(this->ike_sa);</div><div> </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>vips = linked_list_create();</div><div> <span class="Apple-tab-span"
style="white-space:pre"> </span>pools = linked_list_create_from_enumerator(</div><div>--- strongswan-5.1.0/src/libcharon/sa/ikev2/tasks/ike_config.c.orig<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-18 14:24:55.321171406 -0700</div><div>+++ strongswan-5.1.0/src/libcharon/sa/ikev2/tasks/ike_config.c<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-18 14:25:11.272970865 -0700</div><div>@@ -339,7 +339,7 @@ METHOD(task_t, build_r, status_t,</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>linked_list_t *vips, *pools;</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>host_t *requested;</div><div> </div><div>-<span class="Apple-tab-span" style="white-space:pre"> </span>id = this->ike_sa->get_other_eap_id(this->ike_sa);</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>id =
this->ike_sa->get_other_id(this->ike_sa);</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>config = this->ike_sa->get_peer_cfg(this->ike_sa);</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>vips = linked_list_create();</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>pools = linked_list_create_from_enumerator(</div><div>--- strongswan-5.1.0/src/libcharon/sa/ike_sa.c.orig<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-18 11:25:41.996247839 -0700</div><div>+++ strongswan-5.1.0/src/libcharon/sa/ike_sa.c<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-18 11:26:13.263480953 -0700</div><div>@@ -2163,7 +2163,7 @@ METHOD(ike_sa_t, destroy, void,</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>linked_list_t *pools;</div><div> <span class="Apple-tab-span" style="white-space:pre">
</span></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>identification_t *id;</div><div> </div><div>-<span class="Apple-tab-span" style="white-space:pre"> </span>id = get_other_eap_id(this);</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>id = get_other_id(this);</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>pools = linked_list_create_from_enumerator(</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>this->peer_cfg->create_pool_enumerator(this->peer_cfg));</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>hydra->attributes->release_address(hydra->attributes, pools, vip, id);</div><div>--- strongswan-5.1.0/src/libcharon/processing/jobs/adopt_children_job.c.orig<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-18 11:26:52.534613495 -0700</div><div>+++
strongswan-5.1.0/src/libcharon/processing/jobs/adopt_children_job.c<span class="Apple-tab-span" style="white-space:pre"> </span>2013-09-19 10:41:23.070404979 -0700</div><div>@@ -77,7 +77,7 @@ METHOD(job_t, execute, job_requeue_t,</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>/* find old SA to adopt children from */</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>children = linked_list_create();</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>enumerator = charon->ike_sa_manager->create_id_enumerator(</div><div>-<span class="Apple-tab-span" style="white-space:pre"> </span>charon->ike_sa_manager, my_id, xauth,</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>charon->ike_sa_manager, my_id, other_id,</div><div> <span class="Apple-tab-span" style="white-space:pre">
</span>other->get_family(other));</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>while (enumerator->enumerate(enumerator, &id))</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>{</div><div>@@ -92,7 +92,7 @@ METHOD(job_t, execute, job_requeue_t,</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span> ike_sa->get_state(ike_sa) == IKE_PASSIVE) &&</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>me->equals(me, ike_sa->get_my_host(ike_sa)) &&</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>other->equals(other, ike_sa->get_other_host(ike_sa)) &&</div><div>-<span class="Apple-tab-span" style="white-space:pre"> </span>other_id->equals(other_id, ike_sa->get_other_id(ike_sa))
&&</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>xauth->equals(xauth, ike_sa->get_other_eap_id(ike_sa)) &&</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>cfg->equals(cfg, ike_sa->get_peer_cfg(ike_sa)))</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>{</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>childenum = ike_sa->create_child_sa_enumerator(ike_sa);</div></div></div></div></body></html>