[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

RE: [Openvpn-users] resolved: new openvpn problem


  • Subject: RE: [Openvpn-users] resolved: new openvpn problem
  • From: "Tibbs, Richard" <rwtibbs@xxxxxxxxxxx>
  • Date: Sun, 5 Dec 2004 19:40:17 -0500

Thanks very much, Jim.
If you don't mind I have a few additional questions.
1) If I recall correctly the mode command (mode server, mode client)
came in with 2.0, right?  Does this relate to the openvpn.conf directive
"tls-server"? IAW, is mode server the same as tls-server, or a different
feature?

2) When you say client/server mode below -- do you mean in either client
or server mode?  I am a bit confused here.

3) As I mentioned, someone from leaf-user compiled in ip(2) support
using the 1.6 tarball. Is the same true of the openvpn 1.6 pre-compiled
binaries from openvpn.sourceforge.net? 

TIA
Rick.



-----Original Message-----
From: James Yonan [mailto:jim@xxxxxxxxx] 
Sent: Sunday, December 05, 2004 7:22 PM
To: Tibbs, Richard
Cc: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Openvpn-users] resolved: new openvpn problem

On Sun, 5 Dec 2004, Tibbs, Richard wrote:

> OK, what I had to do, since I had compiled in ip(2) support is get rid
> of the up script altogether and add a route command.
> I have now a working tun0 link. What works in openvpn.conf is shown
> below.
> I did a little documentation for my own sanity.
> I am still confused by one thing. In the openvpn 2.x readme (installed
> on my winXP wireless laptop) it says
> "
> * To get OpenVPN 2.0 to talk with the 1.5/1.6 versions, put this in
the
> 1.x
> config file:
> 
>   tun-mtu 1500
>   tun-mtu-extra 32
>   mssfix 1450
>   key-method 2
> 
> * For TLS usage, --key-method 2 is now the default.  Use --key-method
1
> to
> communicate with 1.x.
> "
> The last sentence seems to contradict the 1.x configs above it.
> 
> I assume they mean to say key-method 1 the first time, Right??

No, both statements are correct.  The main point is that the
--key-method 
parameter must be the same on both sides of the connection.

The best thing would be to add "key-method 2" to 1.x configs, to be 
compatible with the default 2.0 key method which is 2.

But you could also leave the 1.x key-method at 1 (the default) and then 
explicitly add "key-method 1" to the 2.0 config.  2.0 can use key-method

1, but not in client/server mode.

James