[Openswan Users] Vigor2600 & Openswan 2.4.5rc5
Roberto Fichera
kernel at tekno-soft.it
Tue Feb 21 10:10:11 CET 2006
At 21.22 20/02/2006, Paul Wouters wrote:
>On Mon, 20 Feb 2006, Roberto Fichera wrote:
>
>> > >Change the IKE option in the "advanced" popup to not use 1DES. What is
>> > >happening is that openswan as initiator works fine, but when the Vigor
>> > >turns to become the initiator at next rekey, it fails because it is
>> > >announcing 1DES insteaf of 3DES or AES?
>> >
>> >Ok! I'll try it!
>>
>> I tried the configuration you suggest, but still the problem :-(!
>> On the Vigor side I changed:
>>
>> Call direction: both
>
>The call direction feature (and keep alive feature) of Vigor is
>severely troublesome. One way of making sure things don't change
>and break after a certain amount of rekeys, is to make it
>dailin only, set openswan as initiator, and give openswan a shorter
>keylife and ikelifetime so it will remain the iniator.
Did you mean that I had to set the vigor2600 as dial-in only?
>> Idel timeout: 3600 (secs)
>>
>> IPSec security method:
>> High(ESP): 3DES with Authentication
>>
>> Advange Menu:
>> IKE phase 1 proposal: 3DES_MD5_G2
>
>This can be set in various places. I am not convinced those are
>synchronised. So check this setting in both the 'generic ike'
>settings menu, as well as the per-connection setting popup.
Only 3DES is checked.
>
>Paul
Roberto Fichera.
More information about the Users
mailing list