[strongSwan] OS X/iOS clients with XAUTH

Brian Mastenbrook brian at mastenbrook.net
Mon Feb 4 05:11:33 CET 2013


On Feb 2, 2013, at 2:49 PM, Brian Mastenbrook <brian at mastenbrook.net> wrote:

> Is anyone successfully using StrongSwan 5.x with OS X/iOS clients using "Cisco IPsec" (XAUTH + tunnel mode)? I'm finding that clients drop after 45 minutes because the client wants to rekey, but doesn't expect to have to perform XAUTH authentication again. I found a recent issue report (http://wiki.strongswan.org/issues/260), and a patch for pluto (https://lists.strongswan.org/pipermail/users/2011-September/006613.html) to work around the issue, but I'm at a bit of a loss as to how to proceed with charon. Apple does not regard this as a bug in OS X and is not intending on fixing the behavior. Is this possible to accomplish with charon, or if not, is it straightforward to implement? I dug into the source a little and wasn't sure where to begin.

I've been able to make this work with OS X clients with a small hack: basically, sending an OK status immediately instead of a request for authentication works. I don't particularly care that XAUTH authentication never occurs in this case because I'd be using pure RSA if OS X would let me get away with it.

Is there any interest in a cleaner patch for this "fake XAUTH" mode?
--
Brian Mastenbrook
brian at mastenbrook.net
http:/brian.mastenbrook.net/





More information about the Users mailing list