[Openswan Users] WLAN IPsec implementation
Paul Wouters
paul at xelerance.com
Sun May 15 12:58:17 CEST 2005
On Sat, 14 May 2005, Bryan McAninch wrote:
> I would recommend using a PSK instead of x.509, as I've encountered problems
> during Phase 1 with XP/x.509 - namely "Hash Payload has an unknown value".
> Also, XP (as well 2k) supports PFS, so use it if you can.
I will test to see if that hash payload issue is related to PSK or X.509.
In general, it is REALLY much better to use X.509 then PSK. PSK is bad, and
it gets worse with NAT traversal.
> As you can see, the above configuration allows my laptop to access anything
> (leftsubnet=0.0.0.0/0), assuming it's permitted by the firewall policy, via
> the IPSec over 802.11 connection. I also use the 'rekey=no' option with
> Windows client since without it, I get numerous amounts of overlapping Phase
> 1 & 2 SA's (which consumes valuable resources on the 400MHz/128M FW/VPN).
You should use rekey=no on the server, since if you close your laptop you
want the server to stop trying to rekey the connection.
However, you should not see overlapping SA's. There was a bug in 2.2.x, but
that should have been fixed. Is it possible for you to use 2.3.x and try
and trigger these to see if this is not a new issue?
Paul
More information about the Users
mailing list