[Openswan dev] Re: openswan 3DES+SHA1+XAUTH

Michael Richardson mcr at sandelman.ottawa.on.ca
Wed Dec 8 19:56:59 CET 2004


-----BEGIN PGP SIGNED MESSAGE-----


Uhm, a)

     > Dec  8 16:59:42 [ipsec__plutorun] ...could not start conn "GroupVPN"

you can't have an interactive (i.e. XAUTH) conn started with auto=start.
The password has to be typed in. Some later patches may permit the
username/password to be in the config file... frankly, from a reasonable
security point of view, if you are going to do that, you might as well
use raw RSA keys. 

b) > Dec  8 16:59:42 [pluto] "GroupVPN" #1: ISAKMP SA established
   > Dec  8 16:59:42 [pluto] "GroupVPN" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}

If it goes from ISAKMP SA to quick mode, then, you didn't actually
configure XAUTH.

- -- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQbeixYqHRg3pndX9AQFBtAP9GH3cvBzQRvFCxd4lUmvFTmzutkV8tvLe
OQj88FQW/CZn1iwvBOJLVvVH75DCZQAHaORUrgQErJ2rfpOg7/JJKx4JC9WFwk73
IATBuXLC+PcKu2YKMl38G5Alrp6f7dUdOUby+Pv7UAItVJq0pdWZ2Py0MZtSJIX+
dxh5/3A7xVE=
=616d
-----END PGP SIGNATURE-----


More information about the Dev mailing list