[Openswan Users] Vigor2600 & Openswan 2.4.5rc5

Roberto Fichera kernel at tekno-soft.it
Tue Feb 21 10:10:11 CET 2006


At 21.22 20/02/2006, Paul Wouters wrote:
 >On Mon, 20 Feb 2006, Roberto Fichera wrote:
 >
 >> > >Change the IKE option in the "advanced" popup to not use 1DES. What is
 >> > >happening is that openswan as initiator works fine, but when the Vigor
 >> > >turns to become the initiator at next rekey, it fails because it is
 >> > >announcing 1DES insteaf of 3DES or AES?
 >> >
 >> >Ok! I'll try it!
 >>
 >> I tried the configuration you suggest, but still the problem :-(!
 >> On the Vigor side I changed:
 >>
 >> Call direction: both
 >
 >The call direction feature (and keep alive feature) of Vigor is
 >severely troublesome. One way of making sure things don't change
 >and break after a certain amount of rekeys, is to make it
 >dailin only, set openswan as initiator, and give openswan a shorter
 >keylife and ikelifetime so it will remain the iniator.

Did you mean that I had to set the vigor2600 as dial-in only?

 >> Idel timeout: 3600 (secs)
 >>
 >> IPSec security method:
 >> High(ESP): 3DES with Authentication
 >>
 >> Advange Menu:
 >> IKE phase 1 proposal: 3DES_MD5_G2
 >
 >This can be set in various places. I am not convinced those are
 >synchronised. So check this setting in both the 'generic ike'
 >settings menu, as well as the per-connection setting popup.

Only 3DES is checked.

 >
 >Paul

Roberto Fichera. 



More information about the Users mailing list