[Openswan Users] Checkpoint VPN
Ken Bantoft
ken at xelerance.com
Wed Oct 27 11:34:06 CEST 2004
FYI, I did this exact configuration on Monday, and it works fine. You
need to get both sides to agree on:
Cipher: 3DES
Hash: MD5 or SHA1
Phase 1 Lifetime of 8 hours (Checkpoint Default is 24h)
We had pfs=no, as that seems to make the Checkpoint happy, but if your
CP supports turning PFS on, then do so.
On *Swan, we omitted the ike= and esp= lines, as the defaults are fine.
I don't know/have access to the CP box to look at the config, so I can't
tell you what screens to go poking in.
Ken
On Mon, 2004-10-25 at 15:20, Chris Berry wrote:
> Paul Wouters wrote:
>
> > What happens if you do not specify ike= and esp= lines?
>
> Can you do that?
>
> > Another atempt you can try is esp=3des-sha1-96 and/or
> > ike=aes128-sha-modp1024,3des-sha-modp1024.
> >
> > It would help if you know what the other end has configured,
>
> Not sure how I would post that, I'll check with them.
>
> > so you can
> > correctly specify the precise phase 1 and phase 2 encryption ciphers and
> > algorithms.
> >
> > Paul
>
> Our first attempt at a fix was to ensure that both sides were using as
> similiar a configuration as possible as far as IKE and ESP are concerned.
More information about the Users
mailing list