[vpnc-devel] Updating the repository
Dan Villiom Podlaski Christiansen
danchr at daimi.au.dk
Thu Aug 10 18:02:16 CEST 2006
Joerg Mayer wrote:
> On Thu, Aug 10, 2006 at 04:12:57PM +0200, Dan Villiom Podlaski Christiansen wrote:
>> It seems trunk already has an option for that:
>> Enable Single DES
>> enables weak single DES encryption
>> Which would indicate that vpnc, by default, does not allow single DES.
>> Quite sensible, in my opinion.
> Sorry, that's not what I meant: When you have a concentrator that for
> some reason only allows 1des, then the negotiation will just fail and
> the user will not know why. In that case vpnc should print a message
> that the only available security was 1des (or even null) and how to get
> things running i.e. "use --enable-1des option if you don't case about
> security but need to connect urgently".
I can't tell from the code how vpnc would behave when no supported
encryption is found. However, it appears single DES won't be used unless
the above option is used.
Just tried disabling triple DES before connecting to the university VPN.
It resulted in this error:
> quick mode response rejected: ISAKMP_N_INVALID_PAYLOAD_TYPE(1)
> this means the concentrator did not like what we had to offer.
> Possible reasons are:
> * concentrator configured to require a firewall
> this locks out even Cisco clients on any platform expect windows
> which is an obvious security improvment. There is no workaround (yet).
> * concentrator configured to require IP compression
> this is not yet supported by vpnc.
> Note: the Cisco Concentrator Documentation recommends against using
> compression, expect on low-bandwith (read: ISDN) links, because it
> uses much CPU-resources on the concentrator
Perhaps that message should be extended to reflect that cipher
More information about the vpnc-devel