[vpnc-devel] Updating the repository

Dan Villiom Podlaski Christiansen danchr at daimi.au.dk
Thu Aug 10 18:02:16 CEST 2006


Joerg Mayer wrote:
> On Thu, Aug 10, 2006 at 04:12:57PM +0200, Dan Villiom Podlaski Christiansen wrote:
>> It seems trunk already has an option for that:
>>
>>    --enable-1des
>>    Enable Single DES
>>        enables weak single DES encryption
>>
>> Which would indicate that vpnc, by default, does not allow single DES. 
>> Quite sensible, in my opinion.
> 
> Sorry, that's not what I meant: When you have a concentrator that for
> some reason only allows 1des, then the negotiation will just fail and
> the user will not know why. In that case vpnc should print a message
> that the only available security was 1des (or even null) and how to get
> things running i.e. "use --enable-1des option if you don't case about
> security but need to connect urgently".

I can't tell from the code how vpnc would behave when no supported 
encryption is found. However, it appears single DES won't be used unless 
the above option is used.

Just tried disabling triple DES before connecting to the university VPN. 
It resulted in this error:

> quick mode response rejected: ISAKMP_N_INVALID_PAYLOAD_TYPE(1)
> this means the concentrator did not like what we had to offer.
> Possible reasons are:
>   * concentrator configured to require a firewall
>      this locks out even Cisco clients on any platform expect windows
>      which is an obvious security improvment. There is no workaround (yet).
>   * concentrator configured to require IP compression
>      this is not yet supported by vpnc.
>      Note: the Cisco Concentrator Documentation recommends against using
>      compression, expect on low-bandwith (read: ISDN) links, because it
>      uses much CPU-resources on the concentrator

Perhaps that message should be extended to reflect that cipher 
negotiation failed.

- Dan



More information about the vpnc-devel mailing list