[Openswan Users] OpenSwan Configuration for Manual Keys

Jay Potter jpotter at science.edu
Fri Apr 14 21:36:45 CEST 2006


This is a very new release from windows xp professional with service 
pack 2 installed (marked 2002). (We just got the MSDN subscription from 
Microsoft and this version was included - we did not have to install 
service pack 2 seperately)  When we run the MMC it allows us the choice 
of either 3des or des /  sha1 or md5.

I noticed that when I turned off the IPSec on the XP, the Linux box 
accepted packes from the XP even though I had that address filtered.  
It's almost like IPSec isn't running.  At the same time, any machine 
that sends an authentication request (ipsec running) even if it is on a 
different address responds that it is authenticating (on a ping).


Brian Candler wrote:

>On Fri, Apr 14, 2006 at 02:38:33PM -0500, Jay Potter wrote:
>>"sample" #1: :responding to Main Mode
>>"Sample" #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 
>>supported.  Attribute OAKLEY_GROUP_DESCRIPTION
>>"Sample" #1:  OAKLEY_DES_CBC is not supported.  Attribute 
>>"Sample" #1: sending notification NO_ROPOSAL_CHOSEN to 
>Is this an old and unpatched Windows box? It seems so, as it looks like it
>only supports DES and not 3DES. I've never come across such an old box;
>maybe you could try something like
>  ike=des-md5-modp512,des-sha1-modp512
>However it would make more sense to patch the box so that it supports 3DES
>and 1024-bit Diffie-Hellman.

More information about the Users mailing list