[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] FreeSWAN, FW-1 and DES
The following section is from the FreeSWAN 1.9 FAQ: --- start Does FreeS/WAN support single DES encryption? No, single DES is not used either at the IKE level for negotiating connections or at the IPSEC level for actually building them. Single DES is insecure. But isn't DES support part of the IPSEC standard? Yes, but DES is insecure. As we see it, it is more important to deliver real security than to comply with a standard which has been subverted into allowing use of inadequate methods. See this discussion . I have to talk to .... which offers only DES. How do I do this? Ask he device vendor for the triple DES upgrade. These exist for many IPSEC devices. If no cipher stronger than DES is available, we recommend you not use that IPSEC implementation. If a 3DES implementation exists but your vendor cannot sell it to you because of export laws, consider complaining to one or more of: * the vendor * your own government, especially any branch concerned with citizen's privacy and/or protection of communication infrastructure * the local embassy of the nation which restricts export to you Consider using FreeS/WAN instead. PCs are cheap and we deliver 3DES now. As a matter of project policy, we will not help anyone subvert FreeS/WAN to provide insecure DES encryption. --- end As you can read, it is a somewhat stiff attitude that only 3DES counts. However, since they want to be the holders of high morals and wonderful inflexibility, I'm sure you find that reflected in structured and clear source code, so adding support for DES would not be hard :) cheers, Alexander Roger Smith <[email protected]> writes: > Hi I'm having problems connecting to FW-1 from > Linux/FreeSWAN - I have heard that FreeSWAN will only > talk to Firewalls that can do 3DES. Since our Firewall > can only do DES at the moment, I'm interested to know > if this is true? > > Regards > Chris > > ____________________________________________________________ > Do You Yahoo!? > For regular News updates go to http://in.news.yahoo.com > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ -- Alexander Hoogerhuis FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);' ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|