[Openswan dev] [Openswan Users] Trying to get Openswan working Ubuntu to Cisco ASA 5510

Michael H. Warfield mhw at WittsEnd.com
Fri Mar 12 10:27:34 EST 2010 

On Fri, 2010-03-12 at 10:06 -0500, Michael H. Warfield wrote: 
> On Fri, 2010-03-12 at 09:49 -0500, Paul Wouters wrote: 
> > On Fri, 12 Mar 2010, Michael H. Warfield wrote:
> 
> > > This is the complete set of 24 proposals from vpnc
> > >
> > >  0 aes256-sha1-mod1024     XAUTHInitPreShared
> > >  1 aes256-md5-mod1024      XAUTHInitPreShared
> > >  2 aes192-sha1-mod1024     XAUTHInitPreShared
> > >  3 aes192-md5-mod1024      XAUTHInitPreShared
> > > * 4 aes128-sha1-mod1024     XAUTHInitPreShared
> > >  5 aes128-md5-mod1024      XAUTHInitPreShared
> > >  6 3des-sha1-mod1024       XAUTHInitPreShared
> > >  7 3des-md5-mod1024        XAUTHInitPreShared
> > >  8 des-sha1-mod1024        XAUTHInitPreShared
> > >  9 des-md5-mod1024         XAUTHInitPreShared
> > > 10 RESERVED-sha1-mod1024   XAUTHInitPreShared
> > > 11 RESERVED-md5-mod1024    XAUTHInitPreShared

> > Can you obtain the proposal numbers for "RESERVED"? perhaps by
> > initiating vpnc against a pluto with plutodebug=all? It might
> > be that our ietf_constants.h needs updating for a new cipher?
> > (perhaps this is camellia?)

> I had saved the trace from vpnc and was using wireshark to look at it.
> Here's the details from each of those last two proposals.

> Transform payload # 10
>   Next payload: Transform (3)
>   Payload length: 36
>   Transform number: 10
>   Transform ID: KEY_IKE (1)
>   Encryption-Algorithm (1): RESERVED (0)
>   Hash-Algorithm (2): SHA (2)
>   Group-Description (4): Alternate 1024-bit MODP group
>   (2)Authentication-Method (3): XAUTHInitPreShared (65001)
>   Life-Type (11): Seconds (1) 
>   Life-Duration (12): Duration-Value (2147483)

> Transform payload # 11
>   Next payload: Transform (3)
>   Payload length: 36
>   Transform number: 11
>   Transform ID: KEY_IKE (1)
>   Encryption-Algorithm (1): RESERVED (0)
>   Hash-Algorithm (2): MD5 (1)
>   Group-Description (4): Alternate 1024-bit MODP group
>   (2)Authentication-Method (3): XAUTHInitPreShared (65001)
>   Life-Type (11): Seconds (1) 
>   Life-Duration (12): Duration-Value (2147483)

> Ok...  That's just weird.  That doesn't make any sense to be proposing
> encryption algorithm 0.  That really is reserved.  I think that must be
> a bug in vpnc but I'll have to go back to the sources to double check
> that one.  Maybe there's a reason and they have it commented.

Oh, duh.  I'm being dense.  It's the NULL cipher.  :-P  Gag...

Ok...  So we know they're offering both the NULL cipher and DES in
addition to the 3 AES flavors and 3DES.  That explains the first 12
proposals and answers why we probably don't want those additional 4
(unless forced too).

> > Which ones do we send?

> 0 - 7 match the ones we send with the ike string I sent in the earlier
> message.

> > > 12 aes256-sha1-mod1024     PSK
> > > 13 aes256-md5-mod1024      PSK

> > [...]

> > Not sure about these. Without xauth perhaps?

> That would kinda be my guess too, yeah.  Unless I actually caught a
> working exchanged that used one of them, I don't know.  Maybe the
> sources will give me a clue there as well.

Yeah, the sources indicate they are supporting PSK+XAUTH and PSK.  So, I
guess that would really break down into separate with and without XAUTH
configurations, so that's probably covered as well with explicit
configuration.

The sources indicate they are supporting dh1 (768) dh2 (1024) and dh5
(1536).  An entry for dh7 is commented out.  Only thing I have seen
offered is 1024.  It's a configuration variable for dh1, dh2, and dh5
with a default of dh2.  So, so much for that.  We're covered there as
well.

I don't think I see anything else we need to worry about in there, in
that case.

> > >> So currently ike=aes works, but ike=sha1 or ike=modp1024 does not. Ideally,
> > >> that would be fixed.
> > >
> > > Cool.
> 
> > >> I'd say that's prob easier then the proposal code :)
> > >
> > > Before, I would have agreed.  Now having done it, this was a snap.  I
> > > really hope you're right.  That must mean it'll be a walk in the park
> > > for you.
> > 
> > Except the Rolling Stones were wrong. Time is never on my side :P
> 
> I hear ya.  You and me both.
> 
> I'm going to start looking into those stray SA on --down and stray IP
> addresses on unload problems.  They shouldn't be too hard to find but,
> as you say...
> 
> > >>> That patch is attached here for this.  This makes multiple proposals in
> > >>> aggressive mode work for me, even if it does make the config a bit ugly.
> > >>>
> > >>> Diff's are against 2.6.24 release code.  I can rebase if desired.
> > >
> > >> I have not yet looked at it, but will try to merge it in tomorrow.
> > >
> > > Very good.
> > 
> > Paul

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/dev/attachments/20100312/64ad3888/attachment-0001.bin

More information about the Dev mailing list