jared r r spiegel wrote:
On Fri, Aug 29, 2008 at 11:02:18PM +0000, Stuart Henderson wrote:
Now someone would like to add a device which (like some other devices
connecting to this machine) is not on a fixed address so it needs to
use the "to any" rule. Though it supports AES in phase 2, only DES or
3DES are permitted in phase 1 (which of course is already set to AES
on other devices).
just checked isakmpd.conf(5), it says you can have a list of proposed
transforms (instead of just one).
but i do recall for certain that i NEVER got that to work.
any list of anything, i never got to work; transform lists, the thing
where you're supposed to be able to specify a range of time/byte
durations, etcetc.... :/
I used the following for phase 1 in my isakmpd.conf:
[General]
...
Default-phase-1-ID = My-Phase-1-Id
[My-Phase-1-Id]
Id-Type = FQDN
Name = router.ant.uni-bremen.de
[Phase 1]
Default = Peer-Default
[Peer-Default]
Phase = 1
Transport = udp
Configuration = Default-id-prot
[Default-id-prot]
DOI = IPSEC
EXCHANGE_TYPE = ID_PROT
Transforms = 3DES-SHA-RSA_SIG,AES-SHA-RSA_SIG
This worked w/o problems.
HTH,
Heinrich
--
Heinrich Rebehn
University of Bremen
Physics / Electrical and Electronics Engineering
- Department of Telecommunications -
Phone : +49/421/218-4664
Fax : -3341
