[strongSwan] Help with UNITY_SAVE_PASSWD attribute

Chris Zelenak netshade at gmail.com
Tue Nov 29 00:09:36 CET 2011


Klaus,

I haven't experienced that problem myself - I'm using strongSwan 4.6.1
compiled with the following:

./configure --enable-mysql --enable-sql --enable-attr-sql
--enable-cisco-quirks --enable-medsrv --enable-mediation --enable-medcli
--enable-manager --enable-smp --with-group=vpn --enable-nat-transport

some of that is absolutely nonessential to my working setup atm,
realistically the most important things were --enable-cisco-quirks and
--enable-nat-transport.  The rest is just me playing around. :-)  My
ipsec.conf is posted earlier in this thread, if that ends up being any help
- I've configured my VPN connections w/ the iPhone Configuration Utility
from Apple - http://support.apple.com/kb/dl851, whose .mobileconfig files
I've manually installed on the phone over HTTP.

Chris Zelenak


On Mon, Nov 28, 2011 at 5:46 PM, Klaus Darilion <
klaus.mailinglists at pernau.at> wrote:

> Hi Chris!
>
> Sorry for hijacking your thread - I recently setup strongSwan (4.4.1-5.2)
> and connecting with my iPhone works fine, but only on the first login.
> Further logins will fail and I have to restart strongSwan.
>
> I wonder if I am the only person with this problem or if you experience
> similar problems too.
>
> If you do not have this problem, which strongSwan version are you using?
>
> Thanks
> Klaus
>
>
>
> On 28.11.2011 05:31, Chris Zelenak wrote:
>
>> Hi,
>>
>> I've been trying to send down the UNITY_SAVE_PASSWD attrib (28673) to an
>> iPhone client to allow local client storage of the Xauth password. (
>> iPhone client connecting w/ IPSEC XAuth + Cert, server compiled w/ cisco
>> quirks )  I initially tried by loading the attr plugin and having the
>> following block in my strongswan.conf:
>>
>> pluto {
>>    plugins {
>>      attr {
>>        28672 = "pluto"
>>        28673 = 1
>>      }
>>    }
>> }
>>
>> Both the 28672 ( UNITY_BANNER ) and 28673 ( UNITY_SAVE_PASSWD ) don't
>> get picked up in the isakmp mode config sent back to the client - the
>> server never sends them.  ( I tried UNITY_BANNER just to debug if the
>> attr plugin would pick it up at all ) Just to see if I could force it, I
>> ended up inserting the following into src/pluto/modecfg.c :
>>
>>         if (want_unity_banner)
>>         {
>>                 ca = modecfg_attribute_create(**UNITY_BANNER,
>>
>>   chunk_create(DEFAULT_UNITY_**BANNER,
>>
>>   strlen(DEFAULT_UNITY_BANNER)))**;
>>                 ca_list->insert_last(ca_list, ca);
>>         }
>> +        ca = modecfg_attribute_create_tv(**UNITY_SAVE_PASSWD, 1);
>> +        ca_list->insert_last(ca_list, ca);
>>
>> Now the data /does/ get sent down, but the iPhone client doesn't seem to
>> be acting on the UNITY_SAVE_PASSWD value - subsequent reconnection
>> attempts still prompt me for a password. From what I've been able to
>> tell looking around, 1 is the correct value to send down, but I dunno...
>>
>> If anyone could help me out in figuring out why:
>>
>> A) the attr plugin doesn't seem to be working
>> and
>> B) if I'm sending down the value incorrectly in my hack inside modecfg.c
>>
>> it would be much appreciated.
>>
>> Thanks,
>>
>> Chris Zelenak
>>
>>
>>
>> ______________________________**_________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/**mailman/listinfo/users<https://lists.strongswan.org/mailman/listinfo/users>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111128/99ce35c6/attachment.html>


More information about the Users mailing list