[Openswan Users] Cisco VPN connection
Andy Gay
andy at andynet.net
Tue Aug 29 10:43:29 EDT 2006
On Tue, 2006-08-29 at 16:15 +0200, Paul Wouters wrote:
> On Tue, 29 Aug 2006, Andy Gay wrote:
>
> > Seems you need pfs=yes, AFAIK that's what "pfs group 2" means in the
> > Cisco.
>
> Luckilly, if openswan detects PFS, it will use it despite the pfs=no setting :)
That's OK if Openswan is the responder, but most (all?) other IPsec
implementations aren't so clever. If Openswan initiates, it'll use
what's configured, if that doesn't match the other end the negotiations
fail. I've had that problem many times.
More information about the Users
mailing list