[Openswan Users] Does aggr mode support 1des?

Paul Wouters paul at xelerance.com
Wed Oct 27 16:13:11 CEST 2004

On Wed, 27 Oct 2004, swcims wrote:

[ email address swcims <swcims at 163.com> removed from sending list, since it
   caused a weird kind of smtp auth failure ]

> 	I am using superfreeswan 1.99.8.I found that in aggressive mode,superfs only send 3des packets even if you used "--ike des-sha-modp768".Dose other freeswan's aggressive mode support des encryption?Does anyone know how to let freeswan send des packet in aggressive mode?

With aggressive mode, you already have to decide the algorithm before sending
the first packet (so phase 1). You already do the crypto in that first packet
(that is why a DOS against aggressive mode is trivial), so you have to decide it.

If you do not specify an ike= option, then *swan will pick one for you. It cannot
pick more then one. In phase 2, you can again offer multiple proposals for the
remote peer to choose from.

This is why you should avoid aggressive mode. Automatic keying is severely limited,
as you have to get it right on the first guess.

That said, I am not sure why sfs is not using your ike= line. Perhaps because
modp768 is plainly inadequate, perhaps that version wants 'sha1' instead of 'sha', or
perhaps the module hasn't been loaded with the 'yes i know what i am doing' hack to
activate 1DES, which is utterly and completely insecure.


More information about the Users mailing list