I am using racoon 0.7.1 to connect to a Cisco 5520 ASA which also seems to send Vendor ID's in the second packet - so XAuth is refused.

Have you made any progress on a fix for this issue yet ?

I would be happy to help test any patch if that would help.


Timo Teräs wrote:
Jun Yin wrote:
I changed my configuration file as you suggested, it still does not work.
Pls check my attached debug info, it also shows openswan can establish
connection successfully.
I checked the packet and can see racoon is still sending out gss_id attribute.

Thank you for your report and the debug log. It helped me to pinpoint
both problems (gss-api attribute sent and xauth refused) to be bugs in
racoon code.

GSS-API is sent because the authentication mode is checked incorrectly
when it is decided whether to add it or not. I'll post a diff for this
soon and commit it unless someone objects.

Xauth is refused because racoon expects to receive the VIDs during the
first received packet during identity exchange, but your gateway is
actually sending them in the second packet. Racoon just prints the VID
names, but does not actually handle them. In any case the VID handling
seems to be a lot of copy-paste code. Maybe I should just combine it
to a function and make "case ISAKMP_NPTYPE_VID" call that function where
approriate. Manu, Yvan, opinions?


This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
Ipsec-tools-devel mailing list


Dave Clarke
Director - Technology
Flat Cat IT Ltd           www.flatcatit.co.nz
Tel/Fax: +64-3-542-4530   Mob: 021-886-033   Skype: daveclarke.flatcatit
Need help with operating your sports club ? visit www.opensportz.org !