[Openswan Users] FW: VPN works, but you can't eBay ;-)

Paul Wouters paul at xelerance.com
Wed May 18 01:59:18 CEST 2005


On Wed, 18 May 2005, Jacco de Leeuw wrote:

> Paul Wouters wrote:
>
>> Doesnt it warn you about this line? It should be !%v4:range/24 and not
>> %v4:!range/24. It might be disabling NAT-T on this machine (or just ignore
>> the last exclusion)
>
> Are you sure? Mathieu Lafon provides an example on
> http://open-source.arkoon.net/freeswan/README.NAT-Traversal.0.6
> and he uses %v4:!range/24.

Thinking I was going mad, I tried it out:

         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,!%v4:1.1.1.0/24

May 18 00:54:46 bofh pluto[9216]:   including NAT-Traversal patch (Version 0.6c)
May 18 00:54:46 bofh pluto[9216]: 1 bad entries in virtual_private - none loaded

The conclusion is that I am going mad......

>> Usually the replay detection/prevention vendors mean is just PFS. I am
>> not sure what else it should/could be, if they do not mean pfs.
>
> Could it be authentication? After all, without message integrity an
> attacker can do a replay and bit flipping. That is exactly what that
> bogus NISCC Vulnerability Advisory was all about.

Perhaps it keeps a log of packet sequence numbers to avoid a replay?

Paul


More information about the Users mailing list