<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.10.3">
</HEAD>
<BODY>
On Wed, 2006-09-27 at 16:51 +0200, Paul Wouters wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">On Wed, 27 Sep 2006, Bas Driessen wrote:</FONT>
<FONT COLOR="#000000">> Going through the lists, I found out that DES is not supported by</FONT>
<FONT COLOR="#000000">> default in OpenSwan, so I have re-compiled the package by setting the</FONT>
<FONT COLOR="#000000">> USE_WEAKSTUFF?=true flag in the Makefile.inc and also corrected the line</FONT>
<FONT COLOR="#000000">> to WEAK_DEFS=-DUSE_VERYWEAK_DH1=1 -DUSE_1DES in the Makefile of Pluto.</FONT>
<FONT COLOR="#000000">> All compiles OK. I know that 3DES is better etc, but this is out of my</FONT>
<FONT COLOR="#000000">> control. I have to get it to work with the current setup.</FONT>
<FONT COLOR="#000000">You might also need to set USE_BROKEN=yes</FONT>
</PRE>
</BLOCKQUOTE>
I have set this and the results are the same. If I perform a fgrep of USE_BROKEN in all files of openswan, I do not get a match. So I have the impression that this switch does not exist.<BR>
<BR>
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">3DES is not "better". 1DES is trivially brute forced. You have no VPN. You</FONT>
<FONT COLOR="#000000">better make sure your boss knows that, and gets it in writing, so that</FONT>
<FONT COLOR="#000000">you can blame management for this unwise decision.</FONT>
</PRE>
</BLOCKQUOTE>
I have informed them already and it is maybe even wiser not to use sonicwall at all ;) , but again it is out of my control. They may have their reasons to use it. For the time being I just need to connect. I had to setup a Windows box with this sonic client for the time being, since I can't get openswan to work. This is a disappointing development.<BR>
<BR>
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">> left=%defaultroute</FONT>
<FONT COLOR="#000000">> leftsubnet=192.168.1.0/24</FONT>
<FONT COLOR="#000000">> leftid=192.168.1.13</FONT>
<FONT COLOR="#000000">> sonicwall.secrets</FONT>
<FONT COLOR="#000000">></FONT>
<FONT COLOR="#000000">> 192.168.1.13 66.nnn.nnn.nnn : PSK "abcdef"</FONT>
<FONT COLOR="#000000">If your ip is actually 192.168.1.13 you cannot tunnel 192.168.1.0/24.</FONT>
<FONT COLOR="#000000">you cannot be at two places at once.</FONT>
</PRE>
</BLOCKQUOTE>
<BR>
Have tried with leftsubnet=192.168.1.13/32 without success.<BR>
<BR>
Also tried leaving out leftsubnet and leftid altogether. No success.<BR>
<BR>
</BODY>
</HTML>