[strongSwan] UNITY_SAVE_PASSWD not honoured?

Tobias Brunner tobias at strongswan.org
Thu Jul 14 15:40:48 CEST 2016

Hi Tom,

> I am successfully sending UNITY_* attrs to IKEv1 clients which support
> it, but the UNITY_SAVE_PASSWD option does not seem to be accepted
> correctly, it simply doesn't allow the client to save their password.

This has been discussed previously [1].  Basically the attr plugin only
supports IP addresses and strings.  So setting this to `yes` or `1`
(which is transmitted as 0x31) won't work.  If the clients accept 32-bit
numbers you could perhaps try as value.  But it's also possible
that the clients only accept the attribute in its short form (i.e. the
value is expected to be encoded in the 16-bit length field), which
neither the attr nor the attr-sql plugin supports.  The latter could be
used to send a 16-bit instead of a 32-bit attribute, though, so that
might also be something worth trying.

By the way, what clients are you testing with?


[1] https://lists.strongswan.org/pipermail/users/2011-November/002342.html

More information about the Users mailing list