Hi 2 all
On Tue, Jun 08, 2010 at 09:01:41AM -0400, Paul Wouters wrote:
> On Tue, 8 Jun 2010, Michael Richardson wrote:
>
> >Please remember that XAUTH for IKEv1 was never standardized.
> >
> >May 11 09:22:10 mykerinos pluto[21853]: "onera" #1: ignoring unknown Vendor
> >ID payload [afca071368a1f1c96b8696fc77570100]
>
> that vendorid suggest Fortigate.
As this bug is really old and was pi..ing me off already I have done some
testing - not with a Fortigate but with two openswans, one with 2.4.12 and one
with 2.6.28, and these are the results:
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec 2.4.12...
104 "leftright" #2: STATE_MAIN_I1: initiate
003 "leftright" #2: ignoring unknown Vendor ID payload
[4f45517b4f7f6e657a7b4351]
003 "leftright" #2: received Vendor ID payload [Dead Peer Detection]
003 "leftright" #2: received Vendor ID payload [XAUTH]
003 "leftright" #2: received Vendor ID payload [RFC 3947] method set to=109
106 "leftright" #2: STATE_MAIN_I2: sent MI2, expecting MR2
003 "leftright" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no
NAT detected
108 "leftright" #2: STATE_MAIN_I3: sent MI3, expecting MR3
003 "leftright" #2: ignoring unknown Vendor ID payload [494b457632]
004 "leftright" #2: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_256 prf=oakley_sha group=modp2048}
041 "leftright" #2: leftright prompt for Username:
Name enter: harald
040 "leftright" #2: leftright prompt for Password:
Enter secret:
004 "leftright" #2: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
004 "leftright" #2: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
117 "leftright" #3: STATE_QUICK_I1: initiate
004 "leftright" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0xa5c83bf1 <0x4012fee0 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.28/K2.6.32-5-686...
Enter username: harald
Enter passphrase:
104 "leftright" #1: STATE_MAIN_I1: initiate
003 "leftright" #1: ignoring unknown Vendor ID payload
[4f45606c50487c5662707575]
003 "leftright" #1: received Vendor ID payload [Dead Peer Detection]
003 "leftright" #1: received Vendor ID payload [XAUTH]
003 "leftright" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "leftright" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "leftright" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no
NAT detected
108 "leftright" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "leftright" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_256 prf=oakley_sha group=modp2048}
041 "leftright" #1: leftright prompt for Username:
040 "leftright" #1: leftright prompt for Password:
004 "leftright" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
004 "leftright" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
117 "leftright" #2: STATE_QUICK_I1: initiate
004 "leftright" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0xf7734ca1 <0x0abb2aae xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none
DPD=none}
As far as I can say both worked and used a completely different proposal as the
standard, so I guess we can say this bug is fixed at least in 2.4.12 from
Debian Lenny and therefore can close this bug - does everybody agree?
>
> >It's nearly impossible to test without having access to the right
> >equipment, which aside from being very expensive, is not even sold
> >anymore.
>
> Yeah.
>
> Paul
Kind regards
Harald
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]