[Openswan Users] openswan and sonicwall
Simon Deziel
simon at xelerance.com
Fri May 16 10:31:34 EDT 2014
Hi Nick,
On 14-05-16 09:44 AM, Nick Howitt wrote:
> Having said that, If you put nothing in Openswan, it should follow
> anything the Sonicwall requests.
Even better! Thanks, I didn't know the OpenSwan's default proposal
intersected with the Sonicwall one.
> When I last used Openswan (2.6.38 - I converted to Libreswan) it was
> very lax in what it would accept.
If a strict proposal is desired, one can use "!" at the end of the
proposal like that:
ike=aes128-sha1;modp2048!
In theory, just specifying a proposal should be enough to ignore the
built-in proposal list but there is a bug that makes the "!" required to
have strict mode matching.
There is another bug that prevents strict mode matching with "phase2alg=".
We are working on those 2 known issues.
> Even if you specified something in Openswan, if the other end demanded something
> else, Openswan would allow the connection.
That's indeed the case but only when the proposal lists intersect.
Regards,
Simon
More information about the Users
mailing list