[strongSwan] PATCH: Payload order for aggressive mode
Gerald Richter - ECOS
richter at ecos.de
Wed Jul 31 05:55:56 CEST 2013
Hi,
while debugging an aggressive mode connection to a watchguard, I discovered that the watchguard expects the HASH_V1 before the NAT payload in the third message. Otherwise it fails (see https://lists.strongswan.org/pipermail/users/2013-July/009412.html). Doing a quick search I didn’t found any order requirements in the RFC’s (did I miss something?). The following patch (together with https://lists.strongswan.org/pipermail/users/2013-July/009497.html), allows me to successfully establish a connection to the watchguard. I tested it also against a Cisco ASA and it works there also.
Regards
Gerald
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index 749c326..0e1bac9 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -535,12 +535,12 @@ static payload_order_t aggressive_i_order[] = {
{NONCE_V1, 0},
{ID_V1, 0},
{CERTIFICATE_V1, 0},
- {NAT_D_V1, 0},
- {NAT_D_DRAFT_00_03_V1, 0},
{SIGNATURE_V1, 0},
{HASH_V1, 0},
{CERTIFICATE_REQUEST_V1, 0},
{NOTIFY_V1, 0},
+ {NAT_D_V1, 0},
+ {NAT_D_DRAFT_00_03_V1, 0},
{VENDOR_ID_V1, 0},
{FRAGMENT_V1, 0},
};
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130731/bf29d8ea/attachment.html>
More information about the Users
mailing list