[Openswan Users] IOS Cisco - bug

David Prestwich dprestwich at pacsim.com
Wed Feb 11 13:08:06 CET 2004 

Ken ,

I'm going to break down and go openswan today and get things up and 
running.  Is it possible then for me to define DES in the config file?  
So that openswan only sends out the DES, AES, or 3DES proposal?  I 
thought I remember reading something about that back with superfreeswan. 

Something like:

encrypt:  DES

/David

Ken Bantoft wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>On Wed, 11 Feb 2004, David Prestwich wrote:
>
>  
>
>>Hello all,
>>
>>I am using an outdated freeswan 1.95 that works great but doesn't have 
>>all the functionality that the newer versions have.  (I plan on 
>>upgrading just need the time and resources).  I've ran into a little 
>>snag with a cisco IOS version 12.2 this past week and I know that it is 
>>a fault in the way it runs their proposal.  In essence, freeswan sends 
>>out all the proposals as it should yet IOS fails on the first proposal 
>>of 3DES because the domain admin on the other side has set the 
>>configuration to DES.  I asked if he would switch this to 3DES but he 
>>states he can't until he does an upgrade on their side to allow 3DES.  
>>During the connection the SA is established but no proposal is chosen 
>>because their side does not want to get set to 3DES.  I can use DES on 
>>my 1.95 version and am using it currently with several sites.  My 
>>question is:  (and I'm pretty sure I know the answer) can I set 1.95 to 
>>tell it which level of encryption to use?  I know in the newer version 
>>you can define say DES or 3DES but can you do this with the older ones?  
>>I don't think that you can.  Any feedback would be great.  Thanks.
>>    
>>
>
>Single DES is not supported in any version of FreeS/WAN, and won't be.
>
>Openswan 1.0.0 has some support for it - it's disabled by default so you 
>need to turn it on at compile time.
>
>You were right to ask them to upgrade - 1DES is considered insecure by 
>today's standards.
>
>- -- 
>Ken Bantoft			VP Business Development
>ken at xelerance.com		Xelerance Corporation
>sip://toronto.xelerance.com	http://www.xelerance.com
>
>The future is here. It's just not evenly distributed yet. 
>        -- William Gibson
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.7 (GNU/Linux)
>
>iD8DBQFAKpfKPiOgilmwgkgRAi+lAJ9heR+DuiJEAxW8JFgrDn3rz19u6gCgidL3
>PaliPXBQfdMs0hoDUt0mlIY=
>=RQqh
>-----END PGP SIGNATURE-----
>
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20040211/6d186762/attachment.htm

More information about the Users mailing list