[strongSwan] Multiple proposals with different authentication types

SM K sacho.polo at gmail.com
Tue Jun 30 10:14:41 CEST 2015


On Sun, Jun 28, 2015 at 11:53 PM, Martin Willi <martin at strongswan.org>
wrote:

> tiple auth methods, we'd have to
> return all of them (for example using a bit-set), and use these methods
> in main/aggressive_mode.c to select the appropriate
>

Hi Martin,

Thanx for the reply. Yes, I realized from the code that only the auth
method in the first transform proposal from the SA payload is returned.
Same with the lifetime, which i thought would not matter so much, but a
Juniper SRX did not like it either when the lifetime was different from
what it had proposed. Sadly, the proposal structures in the ike_cfg_t do
not have the auth method in them, so even if i get a list of auth methods
from the sa payloads, it was not easy to do a proper match against the
proposals in ike_cfg.in the end i ended up putting in a hack to keep the
auth method in ike_cfg, based on the connection definition. And when the
get_proposals on the sa_payload is done, it will return only those
proposals that match the auth method. if no proposal is found, then it does
what strongswan currently does. it seems to work for me now, but i hope
there is a better solution.
i did something similar for lifetime.

regards,
sk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150630/1ccc03e2/attachment.html>


More information about the Users mailing list