[Openswan Users] Checkpoint VPN

Ken Bantoft ken at xelerance.com
Wed Oct 27 11:34:06 CEST 2004


FYI, I did this exact configuration on Monday, and it works fine.  You
need to get both sides to agree on:

Cipher: 3DES
Hash: MD5 or SHA1
Phase 1 Lifetime of 8 hours (Checkpoint Default is 24h)


We had pfs=no, as that seems to make the Checkpoint happy, but if your
CP supports turning PFS on, then do so.

On *Swan, we omitted the ike= and esp= lines, as the defaults are fine. 
I don't know/have access to the CP box to look at the config, so I can't
tell you what screens to go poking in.

Ken



On Mon, 2004-10-25 at 15:20, Chris Berry wrote:
> Paul Wouters wrote:
> 
> > What happens if you do not specify ike= and esp= lines?
> 
> Can you do that?
> 
> > Another atempt you can try is esp=3des-sha1-96 and/or
> > ike=aes128-sha-modp1024,3des-sha-modp1024.
> > 
> > It would help if you know what the other end has configured,
> 
> Not sure how I would post that, I'll check with them.
> 
> > so you can
> > correctly specify the precise phase 1 and phase 2 encryption ciphers and
> > algorithms.
> > 
> > Paul
> 
> Our first attempt at a fix was to ensure that both sides were using as 
> similiar a configuration as possible as far as IKE and ESP are concerned.



More information about the Users mailing list