[Openswan Users] Trying to get Openswan working Ubuntu to Cisco ASA 5510
mcr at sandelman.ottawa.on.ca
Wed Mar 10 14:33:25 EST 2010
>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
>> We now know that we can, in fact, generate multiple proposals,
>> provided the DH group is at least kept constant, since that's
>> what vpnc is doing.
Paul> Note that "some implementation can do this" is not the same as
Paul> being RFC compliant. What is needed is the check with the
Paul> proper RFC's to see if this is indeed valid, and if so, update
Paul> to code.
>> Fixing that would seem to cover a wealth of sins with these Cisco
>> boxes. Any hope for that?
Paul> Though we'd gladly accept patches, I think people would rather
Paul> put their energy into IKEv2, then into fixing IKEv1 Aggressive
Paul> Michael (Richardson), can you perhaps tell us more about why
Paul> Openswan claims there can only be one proposal in Aggressive
The ISAKMP SA is created in exchange 1 in aggressive mode.
You have to send the exponent during that exchange, so you have to know
what DH group you are using before you start.
This is why you can not have multiple DH groups in aggressive mode, and
I'd say historically, that meant that you can only have one proposal,
since different DH groups was really the only parameter in historical
(Freeswan 1.xx) code.
The only other option was MD5 vs SHA1 then, and I think you have to also
pick which hash to use since you have to know which PRF to use to
generate keys as well (and in IKEv1, the hash negotiated is really the PRF).
Maybe in concept, you can propose 3DES or AES128 in aggressive mode.
I'd have to spend some time thinking about why that might not be
Frankly --- why not put in a support request to CISCO and make them do
some testing, or explain why their product isn't compliant with the RFP
you sent out?
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
More information about the Users