[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Win2000 IKE and 3des
This sounds fairly serious to me.
Perhaps this should be posted to BugTraq. This needs confirmation. I
thought I saw something like this when I was doing my tests against Win2K,
but it's been quite some time since then.
Sami Vaarala wrote:
> >Are both of you saying that if you set your policy for 3-DES ONLY (not >3-DES prefered but 3-DES only) that Windows 2000 will negotiate DES >anyway?
>
> Yes, that seems to be the case. I have only checked that if I configure
> 3des, it will send des as an initiator, and a phase 1 SA with des will
> be formed (if the remote end accepts des). Haven't checked if it works
> this way as a responder; probably will.
>
> >Or are you saying that Windows 2000 will fall back from 3-DES to DES if >your configured policy lets it do so and the peer doesn't support >3-DES?
>
> No. This would be the correct way to function, and there would not be
> an issue if this were the case.
>
> >The former is a bug which I've not seen in Windows 2000. The latter is
> >expected behavior since you configured it to do so.
>
> My point exactly. The latter behavior would be the one I would prefer
> to see, of course.
--
Will Price, Director of Engineering
PGP Security, Inc.
a division of Network Associates, Inc.
Follow-Ups:
References: