[Openswan Users] Aggressive mode and IKE=

Peter McGill petermcgill at goco.net
Mon Nov 12 10:06:08 EST 2007

Note that aggressive mode is weak, if you can turn it off on the checkpoint (and openswan) that is better.
ike needs to match the encryption settings set on the checkpoint, for example, 3des-md5-modp1024, 3des-sha1-modp1536, aes-sha1-modp1536, etc...
Make sure that Diffie-Hellmen (DH) Group 1 (768 bits) is not used on the checkpoint, it's weak and openswan doesn't support it.
Instead use Group 2 (1024) or Group 5 (1536), match the setting in the checkpoint using the above format.
pfs=yes|no also needs to match the Perfect Forward Secrecy Setting on the checkpoint, yes is better as it is more secure.
If your checkpoint uses different encryption for ike phase 1 and esp phase 2 then also set the esp line to match.
ie) esp=3des-md5 (Like ike but without the modp, dh group. Defaults to the same as ike so you can leave out if they match.)
Note these options are explained in the ipsec.conf manpage.
Peter McGill


From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Kurt Burger
Sent: November 9, 2007 5:05 PM
To: users at openswan.org
Subject: [Openswan Users] Aggressive mode and IKE=

Hi want to connect against a Checkpoint Securemote VPN in aggressive mode as a warrior client.

I have to put the IKE=??? parameter inside the ipsec.conf file but don't know what I have to substitute for the ??? The aggrassive=yes parameter told me so. Any help is very welcomed.

Regards Kurt 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071112/c78b2be5/attachment-0001.html 

More information about the Users mailing list