[Vpn-help] Fix for faulty remote ID checking ...

Matthew Grooms mgrooms at shrew.net
Fri Sep 15 18:14:49 CDT 2006

Peter Eisch wrote:
> On 9/15/06 12:24 PM, "Matthew Grooms" <mgrooms at shrew.net> wrote:
>>> It would seem to me that the client should make some effort to auth the
>>> server given the policy. Oddly I like the behavior, but it doesn't seem
>>> to make any sense or could be seen to be a security hole.
>>> Bewildered,


	Well, that wasn't fun. I ran out of state bits so I had to split the 
life and transmit state into two bit masks. This meant I had to touch 
every state set/check in ipsecd. Anyhow, here is the result ...

r635 | mgrooms | 2006-09-15 16:10:41 +0000 (Fri, 15 Sep 2006) | 3 lines

Split the SA state flags into life stat and transmit state flags. We ran
out of bit flags.

Rework the peer identity check code. Match the ID values and optionally
send a notification when a failure occurs.



	If everyone likes this build, it will get tagged as RC1. After which, I 
will be blazing a trail towards a stable 2.0 which will be an immense 
improvement with respect to the kernel driver architecture.

If you have the time, please help test!



More information about the vpn-help mailing list