[Openswan dev] Freeswan-1.99 patch: SHA first, interop with interop note broken Checkpoint VPN-1

Paul Wouters paul at xelerance.com
Wed May 12 01:02:52 CEST 2004

On Tue, 11 May 2004 matt-openswan-dev at kindjal.net wrote:

> This patch puts SHA1 ahead if MD5 in the SA proposal.  This allows
> freeswan 1.99 to interoperate with some broken implementations of
> Checkpoint VPN-1, which advertise MD5 hashing, but fail to do it
> properly.

Is it possible for you to send us a log of the entire conversation,
including full vendor id's? Perhaps we can then identify the case of
broken Checkpoint VPN-1 products and for instance not offer md5 to them
at all.

I did try your patch against one of my production customer boxes that
have a broken VPN interop between Cehckpoint and our Openswan-1 machine,
but it did not resolve my problem. (IPsec SA gets established, but the
Checkpoint then eats up all ESP and never sends me anything).

Thanks for the information though. We will put it in our interop notes.


More information about the Dev mailing list