On Thu, Aug 19, 2010 at 10:07:52AM -0400, Michael Richardson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > >>>>> "Harald" == Harald Jenny <har...@a-little-linux-box.at> writes: > Harald> On Tue, Jun 08, 2010 at 09:01:41AM -0400, Paul Wouters > Harald> wrote: > >> On Tue, 8 Jun 2010, Michael Richardson wrote: > >> > >> >Please remember that XAUTH for IKEv1 was never standardized. > >> > > >> >May 11 09:22:10 mykerinos pluto[21853]: "onera" #1: ignoring > >> unknown Vendor ID payload [afca071368a1f1c96b8696fc77570100] > >> > >> that vendorid suggest Fortigate. > > Harald> As this bug is really old and was pi..ing me off already I > Harald> have done some testing - not with a Fortigate but with two > Harald> openswans, one with 2.4.12 and one with 2.6.28, and these > Harald> are the results: > > This is the major reason why we prefer to always have both "client" and > "gateway" side for every protocol --- so that we can validate that > something works. We might be wrong, but at least we can debug our own > code.
True for sure... > > XAUTH has client push and gateway pull modes. Ok > > Which to use, and when, is not communicated in the protocol (one of the > results of having the IETF decline to publish the document is that the > document did not get clarified). Well this make work not easier I guess. > > I'm glad that this worked for you and that we can close this bug: > whether or not it works with Fortigate or not depends upon what they > implemented. As the whole issue was about openswan ignoring to set AES length to 256 bits when using XAUTH I guess (at least) this issue also won't shop up with Fortigate. > My opinion is that if Fortigate wants to validate if it > works with them, that they can get a debian live CD and ... try it out. Hmmm would be nice but I think they won't ;-). > > - -- > ] He who is tired of Weird Al is tired of life! | firewalls > [ > ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net > architect[ > ] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device > driver[ > Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE> > then sign the petition. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > Comment: Finger me for keys > > iQEVAwUBTG06toCLcPvd0N1lAQItAwgAjWOebOKeyk7wli5aUz4MKd7Nxsy77f/4 > AfoB6iPyJ5bAOhSKBw/BMCtbnx37Qna6vAQ7UCgotcDQ77P3tyYOPkPctgpvNCWd > UeeZ1Z77u3SPYCeuXzewYvG1e3g2qf5Vmr24ez+LONuedlayBDA9k9D0OSf/i+6v > JXF+W94/rkMPch4TlgfQSYrJG29cP21mPLzd6QKknjNYdFwUR4rR6o2GwIOVbDfq > qX9zCzwEyZj309I5o5vdhqLuz939NaO22GM/5mv7yylT8fh5sNcYhRNkuZzA1QxZ > 7qh8hQiAcxWS5hwmKtzKyZX2RfCA1U1CCcWIxpbGGmzefgjK78BziQ== > =hm4I > -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
