[vpnc-devel] Working on certificate authentication ...

[Joerg Mayer]

On Thu, Aug 24, 2006 at 11:30:11PM +1200, Mattias Nissler wrote:
> No, my configuration doesn't require any certificates. It's just
> xauth-psk which is called group key or something by the Cisco client
> IIRC. The whole thing is very sensitve regarding correct parameters. For
> example, it took me quite some time to figure out that I had to set the
> dh_group parameter to 2. All other values just resulted in failures to
> establish the connection with very few hints about what went wrong.


Well, that's something your admin might want to document: Both, the fact
that you have to set a specific DH group and that even with debugging
basically no feedback is available are due to the fact how aggressive
mode works. It's not something the ipsec-tools authors can improve

<simplify>
Client -> Server: Hello, I'm me and I support the following list of
parameters [...].
Oh, and by the way, here is the first data for a dh-group1 exchange

Server: Huh?!? I only support dh-group 2. Well, I won't answer that guy.
</simplify>

 ciao
      Joerg

PS: Have you gotten hybrid mode to work?
-- 
Joerg Mayer                                           <jmayer at loplof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.