[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: VPN and OpenBSD 2.9

To: Mark Gangl <mark@alltest.ca>
Subject: Re: VPN and OpenBSD 2.9
From: Hakan Olsson <ho@crt.se>
Date: Thu, 2 Aug 2001 11:58:01 +0200 (MET DST)
Cc: <misc@openbsd.org>

Oops. The manual page should not have had _this_ as an example (it's
wrong). Sorry about this.

The problem is IKE does not support differing Diffie-Hellman group modes
in a proposal, i.e all suites specified must use the same DH group. As the
manual page states, we've let the autogenerated SHA suites use DH group 2,
and the MD5 ones use DH group 1. (This only applies to PFS suites, btw.)

> [Default-quick-mode]
> DOI=                    IPSEC
> EXCHANGE_TYPE=          QUICK_MODE
> Suites=                 QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-PFS-SUITE

Here's one of each, which clearly won't work.

So, the quick fix for you would be to either remove the *-DES-MD5-* suite
(it's weaker), or replace it with something else, such as
QM-ESP-AES-SHA-PFS-SUITE or QM-ESP-BLF-SHA-PFS-SUITE. I just updated
isakmpd.conf(5) to use the *-AES-SHA-* suite instead.

As far as I could tell from a quick glance, the rest of your configuration
looks sane.

/H

--
Håkan Olsson <ho@crt.se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB

Follow-Ups:
- Re: VPN and OpenBSD 2.9
  - From: Mikhail Sobolev <mikhail.sobolev@transas.com>

References:
- VPN and OpenBSD 2.9
  - From: Mark Gangl <mark@alltest.ca>

Prev by Date: Verifying CD-Rs
Next by Date: RE: Do any networking problems in current explain this?
Prev by thread: VPN and OpenBSD 2.9
Next by thread: Re: VPN and OpenBSD 2.9
Index(es):
- Date
- Thread