[Openswan Users] Vigor2600 & Openswan 2.4.5rc5

Paul Wouters paul at xelerance.com
Mon Feb 20 21:22:19 CET 2006


On Mon, 20 Feb 2006, Roberto Fichera wrote:

> > >Change the IKE option in the "advanced" popup to not use 1DES. What is
> > >happening is that openswan as initiator works fine, but when the Vigor
> > >turns to become the initiator at next rekey, it fails because it is
> > >announcing 1DES insteaf of 3DES or AES?
> >
> >Ok! I'll try it!
>
> I tried the configuration you suggest, but still the problem :-(!
> On the Vigor side I changed:
>
> Call direction: both

The call direction feature (and keep alive feature) of Vigor is
severely troublesome. One way of making sure things don't change
and break after a certain amount of rekeys, is to make it
dailin only, set openswan as initiator, and give openswan a shorter
keylife and ikelifetime so it will remain the iniator.

> Idel timeout: 3600 (secs)
>
> IPSec security method:
> High(ESP): 3DES with Authentication
>
> Advange Menu:
> IKE phase 1 proposal: 3DES_MD5_G2

This can be set in various places. I am not convinced those are
synchronised. So check this setting in both the 'generic ike'
settings menu, as well as the per-connection setting popup.

Paul


More information about the Users mailing list