[Swan] How to let libreswan v3.20 send out "Identification Payload" in "msg 1 in quick mode" ?
Paul Wouters
paul at nohats.ca
Fri Dec 29 17:59:40 UTC 2017
On Fri, 29 Dec 2017, Hao Chen wrote:
>
> Based on https://tools.ietf.org/html/rfc2409#page-18 , "identification
> payload" in "msg 1 in quick mode" could be "optional".
>
> Do you know how to configure IPsec.conf to let libreswan v3.20 to send
> out "identification payload" ?
ikev1_quick.c shows:
/* [ IDci, IDcr ] out */
if (has_client) {
/* IDci (we are initiator), then IDcr (peer is * responder) */
if (!emit_subnet_id(&c->spd.this.client,
ISAKMP_NEXT_ID,
st->st_myuserprotoid,
st->st_myuserport, &rbody) ||
!emit_subnet_id(&c->spd.that.client,
ISAKMP_NEXT_NONE,
st->st_peeruserprotoid,
st->st_peeruserport, &rbody)) {
reset_cur_state();
return STF_INTERNAL_ERROR;
}
}
Has_client is set if this is not a host-host connection but a net-host
or host-net or net-net connection. Which also happens if the client is
behind NAT.
Paul
More information about the Swan
mailing list