On Fri, 29 Dec 2017, Hao Chen wrote:
Based on https://tools.ietf.org/html/rfc2409#page-18 , "identification
payload" in "msg 1 in quick mode" could be "optional".
Do you know how to configure IPsec.conf to let libreswan v3.20 to send
out "identification payload" ?
ikev1_quick.c shows:
/* [ IDci, IDcr ] out */
if (has_client) {
/* IDci (we are initiator), then IDcr (peer is * responder) */
if (!emit_subnet_id(&c->spd.this.client,
ISAKMP_NEXT_ID,
st->st_myuserprotoid,
st->st_myuserport, &rbody) ||
!emit_subnet_id(&c->spd.that.client,
ISAKMP_NEXT_NONE,
st->st_peeruserprotoid,
st->st_peeruserport, &rbody)) {
reset_cur_state();
return STF_INTERNAL_ERROR;
}
}
Has_client is set if this is not a host-host connection but a net-host
or host-net or net-net connection. Which also happens if the client is
behind NAT.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
