[Openswan Users] DH Group 1 in 2.2.x?

Nate Carlson natecars at natecarlson.com
Mon Oct 25 12:23:51 CEST 2004


Hey all,

I'm helping a customer out with a migration from an old VPN concentrator 
to a new one, and am running into a bit of an issue. We're going from SFS 
to Openswan 2.2.0. Unfortunately, they have some links set up that are 
using DH Group 1, which isn't supported in 2.2.0. I'm trying to see if we 
can get the remote ends set up to support DH Group 2, but if not, is it 
possible to get DH Group 1 supported in 2.2.0?

Looking at the source, it looks like it may just be commented out:

programs/pluto/crypto.c:

#if 0   /* modp768 not sufficiently strong */
     modp768_modulus,
#endif

#if 0   /* modp768 not sufficiently strong */
     || mpz_init_set_str(&modp768_modulus, MODP768_MODULUS, 16) != 0
#endif

#if 0   /* modp768 not sufficiently strong */
     { OAKLEY_GROUP_MODP768, &modp768_modulus, BYTES_FOR_BITS(768) },
#endif

Would removing the "#if 0"'s get it working, or are there other parts of 
the code that aren't in place?

------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
|       depriving some poor village of its idiot since 1981            |
------------------------------------------------------------------------


More information about the Users mailing list