[Openswan Users] Re: need some guidence for strict/preferred algos.....

Paul Wouters paul at xelerance.com
Tue Mar 21 16:34:58 CET 2006

On Tue, 21 Mar 2006, utkarsh shah wrote:

>     i would like to know one thing
>         how does a strict flag works for encryption algo, auth algo and dh group / pfs group

openswan ALWAYS uses strict mode. There was a bug that allowed it to accept
a connection despite the alg/cipher not being on the esp=/ike= line, but do
not rely on that a s2.4.5 will have fixed this.

>     if one side have strict policy and other side preferred then how will it work??

ipsec auto --status will tell you what was used. You can also check the logs
and look at the "IPsec SA Established" which will show which cipher/algo was
agreed upon.


More information about the Users mailing list