On Wed, 18 Aug 2010, Harald Jenny wrote:
Agreed
Date: Wed, 18 Aug 2010 23:24:31 +0200
From: Harald Jenny <har...@a-little-linux-box.at>
To: Paul Wouters <p...@xelerance.com>, Michael Richardson <m...@sandelman.ca>,
Christian PERRIER <bubu...@debian.org>,
René Mayrhofer <r...@mayrhofer.eu.org>, 359...@bugs.debian.org
Subject: Re: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=359183
Hi 2 all
On Tue, Jun 08, 2010 at 09:01:41AM -0400, Paul Wouters wrote:
On Tue, 8 Jun 2010, Michael Richardson wrote:
Please remember that XAUTH for IKEv1 was never standardized.
May 11 09:22:10 mykerinos pluto[21853]: "onera" #1: ignoring unknown Vendor ID
payload [afca071368a1f1c96b8696fc77570100]
that vendorid suggest Fortigate.
As this bug is really old and was pi..ing me off already I have done some
testing - not with a Fortigate but with two openswans, one with 2.4.12 and one
with 2.6.28, and these are the results:
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec 2.4.12...
104 "leftright" #2: STATE_MAIN_I1: initiate
003 "leftright" #2: ignoring unknown Vendor ID payload
[4f45517b4f7f6e657a7b4351]
003 "leftright" #2: received Vendor ID payload [Dead Peer Detection]
003 "leftright" #2: received Vendor ID payload [XAUTH]
003 "leftright" #2: received Vendor ID payload [RFC 3947] method set to=109
106 "leftright" #2: STATE_MAIN_I2: sent MI2, expecting MR2
003 "leftright" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no
NAT detected
108 "leftright" #2: STATE_MAIN_I3: sent MI3, expecting MR3
003 "leftright" #2: ignoring unknown Vendor ID payload [494b457632]
004 "leftright" #2: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_256 prf=oakley_sha group=modp2048}
041 "leftright" #2: leftright prompt for Username:
Name enter: harald
040 "leftright" #2: leftright prompt for Password:
Enter secret:
004 "leftright" #2: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
004 "leftright" #2: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
117 "leftright" #3: STATE_QUICK_I1: initiate
004 "leftright" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0xa5c83bf1 <0x4012fee0 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.28/K2.6.32-5-686...
Enter username: harald
Enter passphrase:
104 "leftright" #1: STATE_MAIN_I1: initiate
003 "leftright" #1: ignoring unknown Vendor ID payload
[4f45606c50487c5662707575]
003 "leftright" #1: received Vendor ID payload [Dead Peer Detection]
003 "leftright" #1: received Vendor ID payload [XAUTH]
003 "leftright" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "leftright" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "leftright" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no
NAT detected
108 "leftright" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "leftright" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_256 prf=oakley_sha group=modp2048}
041 "leftright" #1: leftright prompt for Username:
040 "leftright" #1: leftright prompt for Password:
004 "leftright" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
004 "leftright" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
117 "leftright" #2: STATE_QUICK_I1: initiate
004 "leftright" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0xf7734ca1 <0x0abb2aae xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
As far as I can say both worked and used a completely different proposal as the
standard, so I guess we can say this bug is fixed at least in 2.4.12 from
Debian Lenny and therefore can close this bug - does everybody agree?
It's nearly impossible to test without having access to the right
equipment, which aside from being very expensive, is not even sold
anymore.
Yeah.
Paul
Kind regards
Harald
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
