<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; CHARSET=UTF-8">
<META content="MSHTML 6.00.6000.16544" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=500465514-12112007><FONT face=Arial
color=#0000ff size=2>Note that aggressive mode is weak, if you can turn it off
on the checkpoint (and openswan) that is better.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=500465514-12112007><FONT face=Arial
color=#0000ff size=2>ike needs to match the encryption settings set on the
checkpoint, for example, 3des-md5-modp1024, 3des-sha1-modp1536,
aes-sha1-modp1536, etc...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=500465514-12112007><FONT face=Arial
color=#0000ff size=2>Make sure that Diffie-Hellmen (DH) Group 1 (768
bits) is not used on the checkpoint, it's weak and openswan doesn't support
it.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=500465514-12112007><FONT face=Arial
color=#0000ff size=2>Instead use Group 2 (1024) or Group 5 (1536), match the
setting in the checkpoint using the above format.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=500465514-12112007><FONT face=Arial
color=#0000ff size=2>pfs=yes|no also needs to match the Perfect Forward Secrecy
Setting on the checkpoint, yes is better as it is more
secure.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=500465514-12112007><FONT face=Arial
color=#0000ff size=2>If your checkpoint uses different encryption for ike phase
1 and esp phase 2 then also set the esp line to match.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=500465514-12112007><FONT face=Arial
color=#0000ff size=2>ie) esp=3des-md5 (Like ike but without the modp, dh group.
Defaults to the same as ike so you can leave out if they
match.)</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=500465514-12112007><FONT face=Arial
color=#0000ff size=2>Note these options are explained in the ipsec.conf
manpage.</FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> users-bounces@openswan.org
[mailto:users-bounces@openswan.org] <B>On Behalf Of </B>Kurt
Burger<BR><B>Sent:</B> November 9, 2007 5:05 PM<BR><B>To:</B>
users@openswan.org<BR><B>Subject:</B> [Openswan Users] Aggressive mode and
IKE=<BR></FONT><BR></DIV>
<DIV></DIV>Hi want to connect against a Checkpoint Securemote VPN in
aggressive mode as a warrior client.<BR><BR>I have to put the IKE=???
parameter inside the ipsec.conf file but don't know what I have to substitute
for the ??? The aggrassive=yes parameter told me so. Any help is very
welcomed.<BR><BR>Regards Kurt </BLOCKQUOTE></BODY></HTML>