ClearFoundation

So after testing on Friday, I have found that my client's current equipment does not support 3DES. It is simply Cisco Equipment that is too old, and they do not have any kind of support contract to download updated firmware. Some of the gear is so dated I am not sure if it even has firmware that supports 3DES.

They have 8 sites (HQ and 7 remote) scattered across the country & Mexico and doing a massive all or nothing swap out is not going to be fun.

My Google skills found hits on the OpenSwan mailing list that show it used to be able to be compiled with DES enabled, but I couldn't find any good instructions on which versions of OpenSwan still had this feature.

I can follow instructions on compiling and running a ./makefile but couldn't find any. Additionally, I do not want to break the existing IPSec support in ClearOS. If I remove the IPSec module to install OpenSwan myself, would I then have to do everything in conf file manually? Will I no longer be able to use Managed VPN?

Compiling openswan it pretty easy and the instructions are in the source. Old instructions are here. The second post gives the way of keeping it in the ClearOS way, but you now use "yum" instead of "apt-get". I suggest you keep with the 2.6.x family now if you want to remain compatible with ClearOS. If you have not installed them yet, you should install the development tools:


DES on its own is horribly insecure. You should get your client off that as soon as possible!

If you compile as suggested, the ClearOS VPN should still work even if you compile the latest package (2.6.27 when ClearOS is at 2.6.21).

Nick Howitt wrote:
DES on its own is horribly insecure. You should get your client off that as soon as possible!
One of many selling points for the switch to ClearOS.

I think to compile with DES, in the source, edit Makefile.inc and change USE_WEAKSTUFF?=false to true.

That is what i got out of my searches. install dev tools now, then will move to openswan. I'll post updates.

One thing you might find is installing an updated Openswan will not break ClearOS per-se, but manual configuration of openswan may well break it. It does break the (free) unmanaged VPN but with the managed VPN they may give you better support. I have no idea what the managed VPN looks like.

Problem installing openswan.

when I make programs it says that is can not find gmp.h
OpenSwan FAQ
gmp.h: No such file or directory

Pluto needs the GMP (GNU Multi-Precision) library for the large integer calculations it uses in public key? cryptography. This error message indicates a failure to find the library. You must install it before Pluto will compile.
The GMP library is included in most Linux distributions. Typically, there are two RPMs, libgmp and libgmp-devel, You need to install both, either from your distribution CDs or from your vendor's web site.

Have you installed the Development Tools?

The gmp package provides libgmp for CentOS / ClearOS

Nick Howitt wrote:
Have you installed the Development Tools?
That is what I was doing in my earlier post.

Tim Burgess wrote:
The gmp package provides libgmp for CentOS / ClearOS

Code:

yum install gmp gmp-devel

That did it, make programs running now.