<br><br><b><i>Peter McGill <petermcgill@goco.net></i></b> wrote:<blockquote class="replbq" style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"> > -----Original Message-----<br>> Date: Mon, 25 Jun 2007 06:16:54 -0700 (PDT)<br>> From: "D h @ v @ l" <dhaval4linux@yahoo.com><br>> Subject: [Openswan Users] Problem with ike<br>> To: users@openswan.org<br>> <br>> Hi all<br>> <br>> I am making a vpn tunnel Net to Roadworrier. I have <br>> problem when I enable ike=des-md5-modp3072 in both ipsec.conf. <br>> <br>> Here is my ipsec.conf file<br>> conn netone<br>> left=10.10.136.190<br>> leftsubnet=192.0.0.0/8<br>> leftrsasigkey=%cert<br>> leftcert=host.example.com.pem<br>> right=10.10.136.191<br>> rightsubnet=11.0.0.0/8<br>> rightrsasigkey=%cert<br>> rightcert=clienthost.example.com.pem<br>> authby=rsasig<br>> also=policy3<br>> auto=start<br>>
<br>> conn policy3<br>> keyexchange=ike<br>> aggrmode=no<br>> ike=des-md5-modp3072<br>> ikelifetime=1h<br>> esp=aes128-md5<br>> pfs=no<br>> compress=no<br>> keylife=1h<br>> failureshunt=passthrough<br>> <br>> #Disable Opportunistic Encryption<br>> include /etc/ipsec.d/examples/no_oe.conf<br>> <br>> This is my output of command: ipsec auto --status<br>> interface lo/lo ::1<br>> 000 interface lo/lo 127.0.0.1<br>> 000 interface lo/lo 127.0.0.1<br>> 000 interface eth0/eth0 10.10.136.191<br>> 000 interface eth0/eth0 10.10.136.191<br>> 000 interface eth1/eth1 11.11.11.11<br>> 000 interface eth1/eth1 11.11.11.11<br>> 000 %myid = (none)<br>> 000 debug none<br>> 000<br>> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, <br>> keysizemin=64, keysizemax=64<br>> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, <br>> keysizemin=192, keysizemax=192<br>> 000 algorithm
ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, <br>> keysizemin=40, keysizemax=448<br>> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, <br>> keysizemin=0, keysizemax=0<br>> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, <br>> keysizemin=128, keysizemax=256<br>> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, <br>> keysizemin=128, keysizemax=256<br>> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, <br>> keysizemin=128, keysizemax=256<br>> 000 algorithm ESP auth attr: id=1, <br>> name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128<br>> 000 algorithm ESP auth attr: id=2, <br>> name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160<br>> 000 algorithm ESP auth attr: id=5, <br>> name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256<br>> 000 algorithm ESP auth attr: id=251, name=(null), <br>> keysizemin=0, keysizemax=0<br>> 000<br>> 000 algorithm
IKE encrypt: id=5, name=OAKLEY_3DES_CBC, <br>> blocksize=8, keydeflen=192<br>> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, <br>> blocksize=16, keydeflen=128<br>> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br>> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, <br>> bits=1024<br>> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, <br>> bits=1536<br>> 000 algorithm IKE dh group: id=14, <br>> name=OAKLEY_GROUP_MODP2048, bits=2048<br>> 000 algorithm IKE dh group: id=15, <br>> name=OAKLEY_GROUP_MODP3072, bits=3072<br>> 000 algorithm IKE dh group: id=16, <br>> name=OAKLEY_GROUP_MODP4096, bits=4096<br>> 000 algorithm IKE dh group: id=17, <br>> name=OAKLEY_GROUP_MODP6144, bits=6144<br>> 000 algorithm IKE dh group: id=18, <br>> name=OAKLEY_GROUP_MODP8192, bits=8192<br>> 000<br><br>First off DES is NOT SECURE!
Can't say that strongly enouph, do not use<br>It, it is obsolete, broken, cracked, etc... Use one of the newer stronger<br>ciphers instead. 3DES, Blowfish should be fine, AES, Serpent and Twofish<br>Are best.<br><br>Secondly, only 3DES and AES are available in your ike status here, the others<br>Are only in esp. IPSec is a two phase process, authentication and encryption.<br>Ike is phase 1 authentication and esp is phase 2 encryption.<br><br>3DES and AES are defaults in openswan, so:<br> ike=3des-md5-modp3072<br> esp=aes128-md5<br>Should work just fine.<br>Or if you want blowfish for phase 2, this should work.<br> ike=3des-md5-modp3072<br> esp=blowfish-md5<br><br>> Here is my log from /var/log/auth.log<br>> <br>> Jun 23 03:48:57 localhost pluto[26197]: | ike_alg_db_new() <br>> ike enc ealg=1 not present<br><br>I'm not sure how to enable the other ciphers for phase 1, but probably a<br>Recompile with special options is needed, and/or kernel module
loading/recompile.<br><br>Peter<br></dhaval4linux@yahoo.com></blockquote>How to enable other ciphers in phase1. if Recompile openswan then what are the options. If kernel recompile is needed then which modules I have to select before recompiling. <br><br>Any one know that.<br><br><br>thanks in advanced,<br><br>Dhaval<br><br><p> 
<hr size=1>Looking for earth-friendly autos? <br> <a href="http://autos.yahoo.com/green_center/;_ylc=X3oDMTE4MGw4Z2hlBF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDZ3JlZW5jZW50ZXI-">Browse Top Cars by "Green Rating"</a> at Yahoo! Autos' Green Center.