On Fri, Aug 29, 2008 at 11:02:18PM +0000, Stuart Henderson wrote: > Does anyone know of a way, either using ipsec.conf or isakmpd.conf, > to permit use of _either_ AES _or_ 3DES in phase 1? Or do I need to go > to all the other endpoints and reconfigure them to a common algorithm > (i.e. 3DES)?
when i was doing certs, i was identifying hosts based on USER_FQDN, iirc. i believe this works in phaseI ID. if so, perhaps it is possible to either omit main mode from ipsec.conf, or just do this particular client entirely in isakmpd.conf. but anyway, within the ISAKMP-peer section for that one host, iirc you can define what its phase 1 config is, and in there you can bring the 3DES into play. if the cert the peer has is only FQDN, and its the same FQDN as other peers have, then i think you're pretty much screwed wrt being able to one-off this guy real super easy, but USER_FQDN can provide this granularity. i *do* remember having a lot of trouble with the Default-phase-1-ID for some reason somewhere... dunno if it'd be relevant.. it's been a while. -- jared
