[Openswan dev] Freeswan-1.99 patch: SHA first, interop with broken Checkpoint VPN-1

matt-openswan-dev at kindjal.net matt-openswan-dev at kindjal.net
Tue May 11 17:16:34 CEST 2004


This patch puts SHA1 ahead if MD5 in the SA proposal.  This allows
freeswan 1.99 to interoperate with some broken implementations of
Checkpoint VPN-1, which advertise MD5 hashing, but fail to do it
properly.

Note that I've got the DES patch in here too.  But it should be clear
from the patch what you would do if you didn't have the DES patch too.


--- pluto/spdb.c.orig	2004-05-11 14:19:16.000000000 -0500
+++ pluto/spdb.c	2004-05-11 14:19:42.000000000 -0500
@@ -283,11 +283,11 @@
 /* arrays of transforms, each in in preference order */

 static struct db_trans espa_trans[] = {
-    { ESP_3DES, AD(espmd5_attr) },
     { ESP_3DES, AD(espsha1_attr) },
+    { ESP_3DES, AD(espmd5_attr) },
 #ifdef USE_SINGLE_DES
-    { ESP_DES, AD(espmd5_attr) },
     { ESP_DES, AD(espsha1_attr) },
+    { ESP_DES, AD(espmd5_attr) },
 #endif
     };

@@ -300,8 +300,8 @@

 #ifdef SUPPORT_ESP_NULL
 static struct db_trans espnull_trans[] = {
-    { ESP_NULL, AD(espmd5_attr) },
     { ESP_NULL, AD(espsha1_attr) },
+    { ESP_NULL, AD(espmd5_attr) },
     };
 #endif /* SUPPORT_ESP_NULL */



More information about the Dev mailing list