[Openswan Users] FW: VPN works, but you can't eBay ;-)

Miguel Dilaj mdilaj at nccglobal.com
Tue May 17 16:40:05 CEST 2005


Hi Paul,

Thanks for your comments. Just corrected the first line. As I wrote before,
NAT-T is enabled but not used, so I'm not sure if it's really working.
Probably it was just ignoring the last bit...

Regarding the 2nd line, this is all the explanation in the help of SafeNet:

  * If you selected the Enable Perfect Forward Secrecy (PFS) check box, in
the PFS Key Group list, click a Diffie-Hellman group.
  * To set a counter that determines if a packet is unique, select the
Enable Replay Detection check box. 

Cheers,

Miguel


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: 17 May 2005 15:34
To: Miguel Dilaj
Cc: users at openswan.org
Subject: RE: [Openswan Users] FW: VPN works, but you can't eBay ;-)


On Tue, 17 May 2005, Miguel Dilaj wrote:

> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v
> 4:!{re
> ad note below}/24

Doesnt it warn you about this line? It should be !%v4:range/24 and not
%v4:!range/24. It might be disabling NAT-T on this machine (or just ignore
the last exclusion)

> 	enable PFS
> 	DH group 2
> 	enable replay detection (I still wonder what's that ;-)

Usually the replay detection/prevention vendors mean is just PFS. I am not
sure what else it should/could be, if they do not mean pfs.

Paul


***********************************************************************************************************
DISCLAIMER:                                                                                                
This e-mail contains proprietary information, some or all of which may be legally privileged.              
It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, 
please notify the author by replying to this e-mail. If you are not the intended recipient you may not use,
disclose, distribute, copy, print or rely on this e-mail.                                                  
***********************************************************************************************************



More information about the Users mailing list