[Openswan Users] FW: VPN works, but you can't eBay ;-)
Jacco de Leeuw
jacco2 at dds.nl
Wed May 18 01:04:25 CEST 2005
Paul Wouters wrote:
> Doesnt it warn you about this line? It should be !%v4:range/24 and not
> %v4:!range/24. It might be disabling NAT-T on this machine (or just ignore
> the last exclusion)
Are you sure? Mathieu Lafon provides an example on
http://open-source.arkoon.net/freeswan/README.NAT-Traversal.0.6
and he uses %v4:!range/24.
> Usually the replay detection/prevention vendors mean is just PFS. I am
> not sure what else it should/could be, if they do not mean pfs.
Could it be authentication? After all, without message integrity an
attacker can do a replay and bit flipping. That is exactly what that
bogus NISCC Vulnerability Advisory was all about.
PFS was devised so that an eavesdropper cannot decipher packets,
even if they have your long-term private key.
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list