Feature #57

new pluto connection option: verify_identifier

Added by Martin Willi about 14 years ago. Updated almost 9 years ago.

Start date:
Due date:
Estimated time:
Won't fix


Hi, there are situations where one would like to skip verifying the
identifier payload in IKE main mode exchanges. The most important two
cases where this arises are:

1. You want to connect to a Windows 2003 IPSec server from behind a
NAT. In this case, Windows 2003 IPSec server sends a client ID
payload that has an incorrect subnet address. Patches exist for
strongswan and openswan to handle just this case, but this patch
fixes it more cleanly, the same way racoon and the OSX IPSec client
handle it.
2. Your IPSec server infrastructure has particular needs that demand
your clients to accept bad IDs anyway. This can arise if you are
using an IPSec appliance that only sends a "verify by my IP" but
that IP is actually behind a VIP.

For these purposes, I've written a patch to add a new option to pluto
(and whack and starter but not charon) to support an option borrowed
From racoon, "verify_identifier". With it set to false, main mode
identifier checks are allowed to fail. In production scenario, this
should only be used with a fallback verification system such as a
trusted certificate authority. The option defaults to true and even with
it set to false, it will print log SERIOUS level log messages to notify
the user that identifier verification failed but was allowed to
continue anyway.

verify-identifier-option.2.diff (19.3 KB) verify-identifier-option.2.diff Martin Willi, 09.06.2008 20:31
more_windows_fixes.diff (1.47 KB) more_windows_fixes.diff more verify_identifier fixes for using a windows 2003 ipsec server Martin Willi, 21.09.2008 06:07


#1 Updated by Tobias Brunner almost 9 years ago

  • Status changed from New to Closed
  • Priority changed from High to Normal
  • Resolution set to Won't fix

Pluto is not supported anymore.

Also available in: Atom PDF