Hi Paul, > I discovered an interop issue with XAUTH authentication > with StrongSwan VPNs. Does anyone have a deep enough > knowledge of this frame to understand what the remote > VPN is giving away?
Thanks for your analysis, and the patch. It seems that Sonicwall sends the ID/Hash payloads unencrypted even in Main Mode, probably to select different PSK keys based on the peer Identity. Something like an "Aggressive Mode light"? If that helps for interoperability, I'm not against upstreaming a work-around, even if it is not strictly within the specs. How about the (untested) patch at [1]? It introduces a charon.sonicwall_quirk strongswan.conf option to enable that behavior. @Tobias: What do you think about such an option? Don't know if it is worth it, as remote sends these unencrypted payloads anyway. On the other side, it can make the implications clear to the administrator/user, given that an attacker can snoop these identities sent in clear-text. Best Regards Martin [1]http://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/sonicwall-quirk _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
