[Openswan Users] Another attempt to get connected to aSonicWALL VPN.
petermcgill at goco.net
Fri Nov 24 08:10:48 EST 2006
On Thu, Nov 23, 2006 Bas Driessen wrote:
> Thanks very much Peter. We may have something here. When I tried to setup the connection a couple of weeks for the first time, the
> VPN server was still set to
> the old DES algorithm. I had to recompile OpenSwan with a WEAK switch (or something like that) to get that to work. In the end I
> got it to go past Phase 1
> and yes you are right, my setting then was ike=des-md5-modp768. Since I did not get past phase 2, I got in contact with this
> mailing list and most of the
> responses were "don't use DES, but 3DES". After that am still getting nowhere and in fact don't get past Phase 1 now. I asked the
> system administrator to
> change to 3DES, which he kindly did. I doubt if he changed the group and that most likely is the cause.
> Which group should I advise him to change to? Group 2 or 5?
Either is fine, both have sufficient size for 3DES, 5 may be considered stronger security because it has more bits, but either is
> Even though OpenSwan does not support DES and Group 1, if I recompile it again with the "WEAK" switch, will ike=3des-md5-modp768
> work? I realize it is
> better to change the group, but if for some reason that can not/will not be done I need an alternative.
I wouldn't recommend it, but yes I believe it will technically work, though the security acheived would be negligable/pathetic.
I'd also say that you previous compile with weak, proves it will work, since you connected Phase 1 alright.
If you get past Phase 1 and stuck on Phase 2 again, then check that you both have the same subnets configured.
Also, check that Phase 2 is using 3DES MD5 same as Phase 1 on both sides.
More information about the Users