[strongSwan] PATCH: Payload order for aggressive mode

Gerald Richter - ECOS richter at ecos.de
Wed Jul 31 05:55:56 CEST 2013


while debugging an aggressive mode connection to a watchguard, I discovered that the watchguard expects the HASH_V1 before the NAT payload in the third message. Otherwise it fails (see https://lists.strongswan.org/pipermail/users/2013-July/009412.html). Doing a quick search I didn’t found any order requirements in the RFC’s (did I miss something?). The following patch (together with https://lists.strongswan.org/pipermail/users/2013-July/009497.html), allows me to successfully establish a connection to the watchguard. I tested it also against a Cisco ASA and  it works there also.



diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c

index 749c326..0e1bac9 100644

--- a/src/libcharon/encoding/message.c

+++ b/src/libcharon/encoding/message.c

@@ -535,12 +535,12 @@ static payload_order_t aggressive_i_order[] = {

        {NONCE_V1,                                      0},

        {ID_V1,                                         0},

        {CERTIFICATE_V1,                        0},

-       {NAT_D_V1,                                      0},

-       {NAT_D_DRAFT_00_03_V1,          0},

        {SIGNATURE_V1,                          0},

        {HASH_V1,                                       0},

        {CERTIFICATE_REQUEST_V1,        0},

        {NOTIFY_V1,                                     0},

+       {NAT_D_V1,                                      0},

+       {NAT_D_DRAFT_00_03_V1,          0},

        {VENDOR_ID_V1,                          0},

        {FRAGMENT_V1,                           0},


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130731/bf29d8ea/attachment.html>

More information about the Users mailing list