[Openswan Users] openswan and sonicwall

Simon Deziel simon at xelerance.com
Fri May 16 10:31:34 EDT 2014


Hi Nick,

On 14-05-16 09:44 AM, Nick Howitt wrote:
> Having said that, If you put nothing in Openswan, it should follow
> anything the Sonicwall requests.

Even better! Thanks, I didn't know the OpenSwan's default proposal
intersected with the Sonicwall one.

> When I last used Openswan (2.6.38 - I converted to Libreswan) it was
> very lax in what it would accept.

If a strict proposal is desired, one can use "!" at the end of the
proposal like that:

 ike=aes128-sha1;modp2048!

In theory, just specifying a proposal should be enough to ignore the
built-in proposal list but there is a bug that makes the "!" required to
have strict mode matching.

There is another bug that prevents strict mode matching with "phase2alg=".

We are working on those 2 known issues.

> Even if you specified something in Openswan, if the other end demanded something
> else, Openswan would allow the connection.

That's indeed the case but only when the proposal lists intersect.

Regards,
Simon


More information about the Users mailing list