From: Peter E. <pe...@bo...> - 2007-02-15 17:13:26
|
I've [somewhat painfully] discovered that the SA definition (like below) will fail to match and fall through to anonymous (which will match without pfs_group defined). In testing we added a pfs_group to the definition and the definition was selected properly. Has this been documented before? In this case the peer was checkpoint, but I don't know that it's pertinent to the situation. I'll pull down the pending 0.7 and test with it when I get a window. sainfo address LOCAL any address REMOTE any { # NO PFS lifetime time 1 hour ; encryption_algorithm 3des ; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } sainfo address REMOTE any address LOCAL any { # NO PFS lifetime time 1 hour ; encryption_algorithm 3des ; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } ... sainfo anonymous { lifetime time 1 hour ; encryption_algorithm 3des, aes; authentication_algorithm hmac_md5, hmac_sha1 ; compression_algorithm deflate ; } Thanks, peter |