[Openswan Users] FW: VPN works, but you can't eBay ;-)

Jacco de Leeuw jacco2 at dds.nl
Wed May 18 01:04:25 CEST 2005


Paul Wouters wrote:

> Doesnt it warn you about this line? It should be !%v4:range/24 and not
> %v4:!range/24. It might be disabling NAT-T on this machine (or just ignore
> the last exclusion)

Are you sure? Mathieu Lafon provides an example on
http://open-source.arkoon.net/freeswan/README.NAT-Traversal.0.6
and he uses %v4:!range/24.

> Usually the replay detection/prevention vendors mean is just PFS. I am
> not sure what else it should/could be, if they do not mean pfs.

Could it be authentication? After all, without message integrity an
attacker can do a replay and bit flipping. That is exactly what that
bogus NISCC Vulnerability Advisory was all about.

PFS was devised so that an eavesdropper cannot decipher packets,
even if they have your long-term private key.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl


More information about the Users mailing list