<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:΢ÈíÑźÚ
}
--></style>
</head>
<body class='hmmessage'>
Hi all,<BR>
<BR>
I am trying to use the gcm as phase2alg during my testing.<BR>
I build up a test bed with Openswan----Openswan(2.6.33). <BR>
Here is my ipsec.conf.<BR>
----------------- <BR>
config setup<BR> pluto=yes<BR> protostack=netkey<BR>
<BR>conn %default<BR> authby=secret<BR> auto=route<BR> ikev2=never <BR> rekey=no<BR>
<BR>conn interop4<BR> left=80.1.1.200<BR> right=80.1.1.100<BR> ike=aes256-sha1;modp1024<BR> pfs=yes<BR> # phase2alg=aes_ccm_c-216-null<BR># phase2alg=aes_ccm_c-280-null<BR>
phase2alg=aes_gcm_c-160-null<BR># phase2alg=aes_gcm_c-288-null<BR> type=transport<BR> aggrmode=no<BR>
------------------<BR>
<BR>
I know the number in aes_ccm_c-???-null, should set as "AES key length" + "fixed 24 bits" for ccm.<BR>
And I also get known the number in phase2alg=aes_gcm_c-???-null, should set as "AES key length" + "fixed 32 bits" for gcm.<BR>
In this way I can set 160/224 for aes128gcm/aes192gcm. But when I want to set 288 for aes256gcm, error log happen as following.<BR>
-------<BR>
Apr 28 10:02:01 MILAN pluto[5469]: "interop4" #2: kernel algorithm does not like: kernel_alg_db_add() key_len not in range: alg_id=19, key_len=288, alg_minbits=128, alg_maxbits=256<BR>
Apr 28 10:02:01 MILAN pluto[5469]: "interop4" #2: unsupported ESP Transform ESP_AES_GCM_B from 80.1.1.200<BR>Apr 28 10:02:01 MILAN pluto[5469]: "interop4" #2: no acceptable Proposal in IPsec SA<BR>Apr 28 10:02:01 MILAN pluto[5469]: "interop4" #2: sending encrypted notification NO_PROPOSAL_CHOSEN to 80.1.1.200:500<BR>--------<BR>
<BR>
So I am confused about how to set the parameter to Phase2alg, If I want to use AES_GCM with 256(AES key length) ? <BR>
I think the sanity check of openswan here is not reasonable. What's experts opinion?<BR>
<BR>
--Adam<BR>
<BR> <BR> </body>
</html>