[Openswan Users] esp string error: enc_alg not found

Steve Zeng SteveZ at airg.com
Fri May 14 19:11:07 EDT 2010 

I am trying openswan-2.6.21 on centos 5.1 to establish IPSec vpn to amazon VPC. Amazon gave us the following SPECs:

#1: Internet Key Exchange Configuration

Configure the IKE SA as follows
  - Authentication Method    : Pre-Shared Key
  - Pre-Shared Key           : **********************
  - Authentication Algorithm : sha1
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 28800 seconds
  - Phase 1 Negotiation Mode : main
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

#2: IPSec Configuration

Configure the IPSec SA as follows:
  - Protocol                 : esp
  - Authentication Algorithm : hmac-sha1-96
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 3600 seconds
  - Mode                     : tunnel
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
  - DPD Interval             : 10
  - DPD Retries              : 3

So I configure my /etc/ipsec.conf as follows:
================================================
version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
        interfaces=%defaultroute
        protostack=netkey
        klipsdebug=none
        plutodebug=all

conn ec2-tunnel-01
        type=           tunnel
        authby=         secret
        left=           209.190.164.199
        leftsubnet=     192.168.0.0/19
        right=          72.21.109.125
        rightsubnet=    192.168.120.0/21
        auth=           esp
        keyexchange=    ike
        ike=            AES_CBC_128-SHA1-MODP1024
        ikelifetime=    28800s
        pfs=            yes
        esp=            AES_CBC_128-HMAC_SHA1_96-MODP1024
        salifetime=     3600s
        dpdtimeout=     10
        dpddelay=       3
        auto=           start
========================================

However, I keep getting the following error logs:

May 14 23:02:44 fw1 ipsec__plutorun: 034 esp string error: enc_alg not found, enc_alg="AES_CBC_", auth_alg="SHA1", modp="MODP1024"
May 14 23:02:44 fw1 ipsec__plutorun: 021 no connection named "ec2-tunnel-01"
May 14 23:02:44 fw1 ipsec__plutorun: 000 initiating all conns with alias='ec2-tunnel-01'
May 14 23:02:44 fw1 ipsec__plutorun: 021 no connection named "ec2-tunnel-01"

It shows me that esp string has problem. I googled and searched the mailing list but could not figure out what is wrong. 

Thanks a lot in advance. 

Steve

More information about the Users mailing list