[strongSwan-dev] [RFC] Be lenient about downstream encryption
pstew at chromium.org
Mon Apr 14 20:33:47 CEST 2014
On Mon, Apr 14, 2014 at 5:56 AM, Martin Willi <martin at strongswan.org> wrote:
> Hi Paul,
>> I discovered an interop issue with XAUTH authentication
>> with StrongSwan VPNs. Does anyone have a deep enough
>> knowledge of this frame to understand what the remote
>> VPN is giving away?
> Thanks for your analysis, and the patch.
> It seems that Sonicwall sends the ID/Hash payloads unencrypted even in
> Main Mode, probably to select different PSK keys based on the peer
> Identity. Something like an "Aggressive Mode light"?
> If that helps for interoperability, I'm not against upstreaming a
> work-around, even if it is not strictly within the specs.
> How about the (untested) patch at ? It introduces a
> charon.sonicwall_quirk strongswan.conf option to enable that behavior.
> @Tobias: What do you think about such an option? Don't know if it is
> worth it, as remote sends these unencrypted payloads anyway. On the
> other side, it can make the implications clear to the
> administrator/user, given that an attacker can snoop these identities
> sent in clear-text.
> Best Regards
I've verified your patch works. LGTM, modulo the other concerns I mentioned.
More information about the Dev