[Openswan Users] Trying to get Openswan working Ubuntu to Cisco ASA 5510

Paul Wouters paul at xelerance.com
Wed Mar 10 14:55:59 EST 2010


On Wed, 10 Mar 2010, Michael Richardson wrote:

> The ISAKMP SA is created in exchange 1 in aggressive mode.
> You have to send the exponent during that exchange, so you have to know
> what DH group you are using before you start.
>
> This is why you can not have multiple DH groups in aggressive mode, and
> I'd say historically, that meant that you can only have one proposal,
> since different DH groups was really the only parameter in historical
> (Freeswan 1.xx) code.
>
> The only other option was MD5 vs SHA1 then, and I think you have to also
> pick which hash to use since you have to know which PRF to use to
> generate keys as well (and in IKEv1, the hash negotiated is really the PRF).
>
> Maybe in concept, you can propose 3DES or AES128 in aggressive mode.
> I'd have to spend some time thinking about why that might not be
> acceptable.
>
> Frankly --- why not put in a support request to CISCO and make them do
> some testing, or explain why their product isn't compliant with the RFP
> you sent out?

Thanks, I've slightly rewritten this text and added it to the ipsec.conf
man page of the aggrmode= option.

Paul


More information about the Users mailing list