From: Timo T. <tim...@ik...> - 2012-09-04 06:50:41
|
Hi, On Wed, 29 Aug 2012 14:25:17 +0200 Martin Huter <mh...@ba...> wrote: > the phase1 script hook (SCRIPT_PHASE1_UP) is not called for a > vpn connection using the certificate only authentication method > (without xauth, OAKLEY_ATTR_AUTH_METHOD_RSASIG). patch attached. > diff -NaurbB ipsec-tools-0.8.0.orig/src/racoon/isakmp_cfg.c ipsec-tools-0.8.0/src/racoon/isakmp_cfg.c > --- ipsec-tools-0.8.0.orig/src/racoon/isakmp_cfg.c 2012-08-29 14:19:01.002311264 +0200 > +++ ipsec-tools-0.8.0/src/racoon/isakmp_cfg.c 2012-08-29 14:19:14.260425870 +0200 > @@ -457,6 +457,7 @@ > case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: > case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: > case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: > + case OAKLEY_ATTR_AUTH_METHOD_RSASIG: > script_hook(iph1, SCRIPT_PHASE1_UP); > break; > default: Hum, so you use Mode Configuration, but not Xauth ? Your patch does not update the similar switch in isakmp.c, which might lead to duplicate phase1_up script executions. However, I'm thinking if the whole switch(authmethod) is bogus and should be deleted. Then we could just unconditionally post-pone the script launch if Mode Config was used. -Timo |