Copyright (c) 2004,2005 Philippe Sultan, INRIA.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
Texts. A copy of the license is included in the section entitled "GNU
Free Documentation License".
openswan 1.0.6 was used for our tests. It can be found here : openswan-1.0.6.tar.gz
Untar the downloaded archive for example in /usr/local/src
We will assume that you untared the archive in this directory to ease
the reading of this doc.
This patch is intented to use pluto
as an ISAKMP server
with a Cisco
VPN client (v4.0.4) in Aggressive Mode + PSK + XAUTH.
It is still rudimentary so any contribution to clean up the modifications
in pluto
's code is welcome.
Frederic Giquel provided a better version of the patch, intented to work with openswan v1.0.6 as well as openswan v2.3.0
You can find them here :
Follow these steps to modify pluto
's code according
with the patch (example given for version 1.0.6):
#cd /usr/local/src/openswan-1.0.6/pluto
#patch -b -p0 < patch-cisco-ios-openswan-1[1][1].0.6.diff
you should see the list of the modified files :
Makefile
connections.c
constants.h
demux.c
id.c
ipsec_doi.c
each modified file has a backed up copy of its orignal version :
<filename>.orig
Please note that Tsukasa Kanazawa's patch for Aggressive Mode has
been
applied to the code.
See http://lists.openswan.org/pipermail/users/2004-July/001652.html to
see what it is intended for.
The main purpose of the proposed modifications included in the patch is
to show the weakness of an Aggressive Mode + PSK + XAUTH authentication
procedure.
The tests performed after applying this patch have shown that XAUTH
credentials provided by the user are sent under ISAKMP phase I SA
keying material
protection, but the password is not hashed in any way.
The modifications made to the original code include :
- the client asks for a 2147483 sec for ISAKMP SA lifetime instead of
the maximum 86400 value specified in pluto
- the actual packet size and packet size specified in header differ, so
that the terms of RFC 2408 §5.1 are not respected.
- A Cisco Vendor ID payload MUST be sent out in the first reply by the
server, otherwise the Client stops saying remote ISAKMP server is not
acceptable
Refer to the INSTALL and README files coming with openswan to know
about these requirements. You'll need libgmp
and libgmp-devel
headers installed as well as OpenSSL headers(openssl-devel
on RedHat)
If libdes
is not installed, openswan comes with it and you can
start the compilation and installation of libdes
.
pluto
won't compile without libdes
:
#cd /usr/local/src/openswan-1.0.6/libdes
#make
#make install
At this step, you should have des.h in your include path
(
/usr/include
or /usr/local/include
).
Now, let's compile pluto
:
#cd /usr/local/src/openswan-1.0.6/pluto
#make all
And that's it, next step is to configure pluto
: go back
A copy of the GNU FDL is available here :
GNU Free Documentation License
Created: 2004/07/26 16:02:41
Updated: $Revision: 1.3 $ $Date: 2005/07/19 22:56:52 $ $Author: sultan $