[ previous ] [ next ] [ threads ]
 
 From:  Wes Morgan <cap10morgan at gmail dot com>
 To:  David Burgess <apt dot get at gmail dot com>
 Cc:  m0n0wall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] VPN - IPsec break down without changing anything
 Date:  Fri, 4 Apr 2008 09:25:46 -0600
I got that analysis from the new Openswan book. I forget the full  
title, something like Building and Securing VPNs with Openswan.

Wes

On Apr 4, 2008, at 9:19 AM, "David Burgess" <apt dot get at gmail dot com> wrote:

> http://en.wikipedia.org/wiki/Data_Encryption_Standard
>
> Wikipedia states that DH is safe if the keys are well chosen, but  
> makes no
> mention of bit-length.
>
> db
>
> On 04/04/2008, Michael Brown <knightmb at knightmb dot dyndns dot org> wrote:
>>
>> A quick google search didn't find anything to support the "it's not
>> secure" part, I would like to read more about it if you have a link  
>> to the
>> information.
>>
>> wmorgan at ffpir dot org wrote:
>>
>>> It looks like the other end of the connection is only offering to  
>>> use
>>> DES encryption and a 768-bit DH group. This is _not_ secure, but  
>>> some
>>> older hardware (notably Cisco) doesn't support anything better.
>>>
>>> I'd start by seeing if you can turn on 3DES or AES encryption and at
>>> least a 1024-bit DH (aka MODP) group on the other end for the  
>>> phase 1
>>> negotiation.
>>> Wes
>>>
>>>
>>>
>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>