[Openswan Users] Another attempt to get connected to aSonicWALL VPN.

[Peter McGill]

On Thu, Nov 23, 2006 Bas Driessen wrote:
> Thanks very much Peter. We may have something here. When I tried to setup the connection a couple of weeks for the first time, the 
> VPN server was still set to
> the old DES algorithm.  I had to recompile OpenSwan with a WEAK switch (or something like that) to get that to work. In the end I 
> got it to go past Phase 1
> and yes you are right, my setting then was ike=des-md5-modp768. Since I did not get past phase 2, I got in contact with this 
> mailing list and most of the
> responses were "don't use DES, but 3DES". After that am still  getting nowhere and in fact don't get past Phase 1 now. I asked the 
> system administrator to
> change to 3DES, which he kindly did.  I doubt if he changed the group and that most likely is the cause.
>
> Which group should I advise him to change to? Group 2 or 5?

Either is fine, both have sufficient size for 3DES, 5 may be considered stronger security because it has more bits, but either is 
fine.

> Even though OpenSwan does not support DES and Group 1, if I recompile it again with the "WEAK" switch, will ike=3des-md5-modp768 
> work? I realize it is
> better to change the group, but if for some reason that can not/will not be done I need an alternative.

I wouldn't recommend it, but yes I believe it will technically work, though the security acheived would be negligable/pathetic.
I'd also say that you previous compile with weak, proves it will work, since you connected Phase 1 alright.

If you get past Phase 1 and stuck on Phase 2 again, then check that you both have the same subnets configured.
Also, check that Phase 2 is using 3DES MD5 same as Phase 1 on both sides.

Peter