IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re[4]: [Users] Freeswan Proposal Syntax

From: D. Hugh Redelmeier (hugh_at_mimosa.com)
Date: Tue May 14 2002 - 09:10:18 CEST

| From: Richard Welty <rwelty_at_averillpark.net>

| On Mon, 13 May 2002 22:25:31 -0400 Sam Sgro <sam_at_freeswan.org> wrote:
| > > i'm working with the operators of an AS/400 to try and actually get
| > things
| > > working properly. when done, i plan to report on what really needed to
| > be
| > > done to the list.

Good.

| > We'll be looking forward to it! I'm also talking with our programmers
| > about
| > this; with any luck, we'll have some useful info for you shortly.

Not likely :-)

- we consider Pluto's use of proposal numbers correct. If the AS/400
  still doesn't like this, they ought to convince us that we're wrong.

- Current Plutos ignore the Commit Bit. This is more conformant and
  more robust than our old behaviour of rejecting it. The Commit Bit
  is an abomination. It isn't even authenticated!

| at this point, with FreeS/WAN 1.96 applied to a Redhat 2.4.9-31 kernel,
| otherwise unmodified, i have pre-shared keys working, w/esp (no ah, but
| ah will probably work), as long as the connection is initiated by the
| AS/400 end. the AS/400 in question is running an older release that
| doesn't support RSA or DSA keys, so that's untested.
|
| the documentation in the interop.html document alludes to a discussion
| sometime around August/September on this list about the IKE commit flag;
| i would very much like to see that discussion (and the patches that
| accompanied it), but i wasn't able to find it in the archives. if someone
| could give me a pointer i'd appreciate it.

Since 1.92, Pluto has ignored the Commit Bit. This probably solves
all interop problems involving the Commit Bit. So I don't think that
can be your problem.

If the problem is with Pluto as Initiator, then it is most likely that
Pluto is doing something that the AS/400 doesn't like (rather than the
other way around). So you'll have to puzzle that out from the
diagnostics and logs of the AS/400. If it were the other way around,
I could interpret Pluto's logs for you.

The proposal number is field isap_proposal in struct isakmp_proposal.
It is set only one place in the code: in spdb.c:out_sa. It ought to
be trivial to emit a number one higher. Untested:

- proposal.isap_proposal = pcn;
+ proposal.isap_proposal = pcn + 1;

Hugh Redelmeier
hugh_at_mimosa.com voice: +1 416 482-8253

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:59 CEST