[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Sat Feb 2 08:56:06 EET 2013
New commits:
commit c015d1a038546a5c32d9a36d16462d490108e254
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Feb 2 01:41:04 2013 -0500
* XAUTH: modecfgdns* parameter was broken, modecfgwins* removed
The modecfgdns1/modecfgdns2/modecfgwins1/modecfgwins2 were never
properly working using libipsecconf. They only worked when you used
whack directly.
Someone (properly me) put these in as KSCF_MODECFG* instead of as
KSF_MODECFG*, so the parser was looking for left/rightmodecfgdn1 etc.
While fixing these, I removed support for XAUTH WINS, as that died a
decade ago.
We had defined POLICY_MODECFGDNS1 etc apparently as policy bits that
would determine if we would send these options, but then they were
never queried ever, so I removed them. It's quite obvious when you
need to set these, namely if we are an xauthserver and modecfg_dns1=
is set.
libipsecconf got compiled without XAUTH because it was not being
added to the CFLAGS when USE_XAUTH was set. So none of the parsing
code was reading the code I wrote to read these options.
(the only reason xauthby= ever worked was because it was _missing_
and #ifdef XAUTH)
Parsing of the modecfgdns1/modecfgdns2 keywords as kt_ipaddr also
gave some problems because ipaddr processing was really only done
for the left/right parts of the connection. The easier fix was to
change these into kt_string, and when reading the struct starter_conn
information into a struct whack_message, do the tnatoaddr() conversion.
If the IP for this option is bogus, we ignore it and continue.
modecfgwins1/modecfgwins2 is now kt_obsolete, and they were removed from
whack, the xauth sending xauth attributes code and the man pages.
The ipsec auto --status was updated to show the xauth information better:
000 "test": 76.10.157.69<76.10.157.69>[+XS+S=C]...5.6.7.8<5.6.7.8>; unrouted; eroute owner: #0
000 "test": oriented; my_ip=unset; their_ip=unset;
000 "test": xauth info: my_xauthuser=pwouters; their_xauthuser=[any]; dns1:1.8.8.8, dns2:3.8.8.8;
000 "test": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "test": policy: RSASIG+ENCRYPT+TUNNEL+PFS+XAUTH+IKEv2ALLOW+ModeCFGDNS1+ModeCFGWINS1;
000 "test": prio: 32,32; interface: virbr0; metric: 0, mtu: unset;
000 "test": dpd: action:clear; delay:0; timeout:0;
000 "test": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
commit 16548119c880df68971f382751d584e3a60f51a9
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Feb 1 22:22:58 2013 -0500
* libipsecconf: remove another leftover used for manual keying
More information about the Swan-commit
mailing list