I'd like to restrict the acceptable IKE/ESP proposal. From some other postings it can be achieved by ike= or esp= at connection setting. <br>However, in my case, responder accepts all the ike/esp proposal that he knows. <br clear="all">
Here is my configuration<br><br>--------------<br>config %default<br> left=<a href="http://100.1.1.2"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "100.1.1.2" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 100.1.1.2</a><br> leftsubnet=<a href="http://10.10.10.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.10.10.0/24</a><br> leftnexthop=<a href="http://10.10.10.2"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.10.10.2" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious:
10.10.10.2</a><br> right=<a href="http://100.1.1.3"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "100.1.1.3" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 100.1.1.3</a><br> rightsubnet=<a href="http://20.20.20.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "20.20.20.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 20.20.20.0/24</a><br> rightnexthop=<a href="http://20.20.20.2"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "20.20.20.2" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 20.20.20.2</a><br> type=tunnel<br> authby=secret
<br><br>config conn_left<br> ike=aes<br> esp=aes<br><br>config conn_right<br> ike=3des<br> esp=3des<br>---------------<br><br>If I up conn_left the right(responder) accepts aes.<br>If I up conn_right the left accepts 3des.
<br><br>Is this a bug or should I do something else to restrict the algorithms used for ike/esp proposal?<br><br>--<br>Jungwoo Ha