[Openswan Users] Cisco VPN connection

Paul Wouters paul at xelerance.com
Tue Aug 29 10:57:58 EDT 2006


On Tue, 29 Aug 2006, Andy Gay wrote:

>
> On Tue, 2006-08-29 at 16:15 +0200, Paul Wouters wrote:
> > On Tue, 29 Aug 2006, Andy Gay wrote:
> >
> > > Seems you need pfs=yes, AFAIK that's what "pfs group 2" means in the
> > > Cisco.
> >
> > Luckilly, if openswan detects PFS, it will use it despite the pfs=no setting :)
>
> That's OK if Openswan is the responder, but most (all?) other IPsec
> implementations aren't so clever. If Openswan initiates, it'll use
> what's configured, if that doesn't match the other end the negotiations
> fail. I've had that problem many times.

That's true. And sometimes rekeying can flip responder/initiator as well.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list