<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.19394">
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Verdana><FONT size=2>Dear Sirs,</FONT></FONT></DIV>
<DIV><FONT size=2 face=Verdana></FONT> </DIV>
<DIV><FONT face=Verdana><FONT size=2>I try to change the DH group to
make the vpn tunnel up<BR><BR>1>Set different DH group on two devices phase1
and the same setting phase2.</FONT></FONT></DIV>
<DIV><FONT face=Verdana><FONT size=2>Test result==> The phase1 failed,The vpn
tunnel can not be
up.<BR><openswan><BR> phase1=3des-md5;modp1536!<BR> phase2=
3des-hmac_md5!;modp1024<BR> <other
system><BR> phase1=3des-md5;modp1024<BR> phase2=
3des-md5!;modp1024<BR><BR>===========================================================<BR>2>Set
different DH group on two devices phase2 and the same setting
phase1.</FONT></FONT></DIV>
<DIV><FONT face=Verdana><FONT size=2>Test result==> The vpn tunnel can be
up.</DIV></FONT></FONT>
<DIV><FONT face=Verdana><FONT
size=2><openswan><BR> phase1=3des-md5;modp1024!<BR> phase2=
3des-hmac_md5!;modp1536<BR> <other
system><BR> phase1=3des-md5;modp1024<BR> phase2=
3des-md5!;modp1024</FONT></FONT></DIV>
<DIV><FONT face=Verdana><BR><FONT size=2># ipsec auto --status<BR>000 using
kernel interface: netkey<BR>000 interface lo/lo ::1<BR>000 interface lo/lo
127.0.0.1<BR>000 interface br0/br0 192.168.2.254<BR>000 interface eth0.1/eth0.1
172.17.21.81<BR>000 %myid = (none)<BR>000 debug none<BR>000<BR>000
virtual_private (%priv):<BR>000 - allowed 0 subnets:<BR>000 - disallowed 0
subnets:<BR>000 WARNING: Either virtual_private= is not specified, or there is a
syntax<BR>000 error in
that line. 'left/rightsubnet=vhost:%priv' will not <BR>work!<BR>000 WARNING:
Disallowed subnets in virtual_private= is empty. If you
have<BR>000 private
address space in internal use, it should be excluded!<BR>000<BR>000 algorithm
ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
<BR>keysizema<BR>x=64<BR>000 algorithm ESP encrypt: id=3, name=ESP_3DES,
ivlen=8, keysizemin=192, <BR>keysize<BR>max=192<BR>000 algorithm ESP encrypt:
id=11, name=ESP_NULL, ivlen=0, keysizemin=0, <BR>keysizem<BR>ax=0<BR>000
algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
<BR>keysize<BR>max=256<BR>000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A,
ivlen=8, <BR>keysizemin=128, k<BR>eysizemax=256<BR>000 algorithm ESP encrypt:
id=15, name=ESP_AES_CCM_B, ivlen=8, <BR>keysizemin=128,
k<BR>eysizemax=256<BR>000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C,
ivlen=8, <BR>keysizemin=128, k<BR>eysizemax=256<BR>000 algorithm ESP encrypt:
id=18, name=ESP_AES_GCM_A, ivlen=8, <BR>keysizemin=128,
k<BR>eysizemax=256<BR>000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B,
ivlen=8, <BR>keysizemin=128, k<BR>eysizemax=256<BR>000 algorithm ESP encrypt:
id=20, name=ESP_AES_GCM_C, ivlen=8, <BR>keysizemin=128,
k<BR>eysizemax=256<BR>000 algorithm ESP auth attr: id=1,
name=AUTH_ALGORITHM_HMAC_MD5, <BR>keysizemin=128,<BR> keysizemax=128<BR>000
algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
<BR>keysizemin=160<BR>, keysizemax=160<BR>000 algorithm ESP auth attr: id=251,
name=AUTH_ALGORITHM_NULL_KAME, <BR>keysizemin=0<BR>, keysizemax=0<BR>000<BR>000
algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131<BR>000
algorithm IKE encrypt: id=1, name=OAKLEY_DES_CBC, blocksize=8,
<BR>keydeflen=64<BR>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
blocksize=8, <BR>keydeflen=19<BR>2<BR>000 algorithm IKE encrypt: id=7,
name=OAKLEY_AES_CBC, blocksize=16, <BR>keydeflen=12<BR>8<BR>000 algorithm IKE
hash: id=1, name=OAKLEY_MD5, hashsize=16<BR>000 algorithm IKE hash: id=2,
name=OAKLEY_SHA1, hashsize=20<BR>000 algorithm IKE hash: id=4,
name=OAKLEY_SHA2_256, hashsize=32<BR>000 algorithm IKE hash: id=6,
name=OAKLEY_SHA2_512, hashsize=64<BR>000 algorithm IKE dh group: id=1,
name=OAKLEY_GROUP_MODP768, bits=768<BR>000 algorithm IKE dh group: id=2,
name=OAKLEY_GROUP_MODP1024, bits=1024<BR>000 algorithm IKE dh group: id=5,
name=OAKLEY_GROUP_MODP1536, bits=1536<BR>000 algorithm IKE dh group: id=14,
name=OAKLEY_GROUP_MODP2048, bits=2048<BR>000 algorithm IKE dh group: id=15,
name=OAKLEY_GROUP_MODP3072, bits=3072<BR>000 algorithm IKE dh group: id=16,
name=OAKLEY_GROUP_MODP4096, bits=4096<BR>000 algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144<BR>000 algorithm IKE dh group: id=18,
name=OAKLEY_GROUP_MODP8192, bits=8192<BR>000 algorithm IKE dh group: id=22,
name=OAKLEY_GROUP_DH22, bits=1024<BR>000 algorithm IKE dh group: id=23,
name=OAKLEY_GROUP_DH23, bits=2048<BR>000 algorithm IKE dh group: id=24,
name=OAKLEY_GROUP_DH24, bits=2048<BR>000<BR>000 stats db_ops: {curr_cnt,
total_cnt, maxsz} :context={0,2,36}
<BR>trans={0,2,360}<BR> attrs={0,2,480}<BR>000<BR>000 "test":
<BR>192.168.2.0/24===172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21<BR>.80>===192.168.1.0/24;
erouted; eroute owner: #2<BR>000 "test": myip=unset;
hisip=unset;<BR>000 "test": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; <BR>rekey_fuz<BR>z: 100%; keyingtries: 0<BR>000
"test": policy:
<BR>PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;<BR> prio:
24,24; interface: eth0.1;<BR>000 "test": newest ISAKMP SA: #1;
newest IPsec SA: #2;<BR>000 "test": IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); <BR>fla<BR>gs=strict<BR>000
"test": IKE algorithms found:
3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)<BR>000 "test": IKE algorithm
newest: 3DES_CBC_192-MD5-MODP1024<BR>000 "test": ESP algorithms
wanted: 3DES(3)_000-MD5(1)_000; <BR>pfsgroup=MODP1536(5<BR>);
flags=strict<BR>000 "test": ESP algorithms loaded:
3DES(3)_192-MD5(1)_128<BR>000 "test": ESP algorithm newest:
3DES_000-HMAC_MD5; pfsgroup=MODP1536<BR>000<BR>000 #2: "test":500 STATE_QUICK_I2
(sent QI2, IPsec SA established); <BR>EVENT_SA_REP<BR>LACE in 27932s; newest
IPSEC; eroute owner; isakmp#1; idle; import:admin <BR>initiat<BR>e<BR>000 #2:
"test" </FONT><A href=""><FONT size=2>esp.d370a0e@172.17.21.80</FONT></A><FONT
size=2> </FONT><A href=""><FONT size=2>esp.f28fec16@172.17.21.81</FONT></A><FONT
size=2> ref=0 <BR>refhim=4<BR>294901761<BR>000 #1: "test":500 STATE_MAIN_I4
(ISAKMP SA established); EVENT_SA_REPLACE <BR>in 26<BR>17s; newest ISAKMP;
lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate<BR>#<BR><BR>I am very
confused.The test result are as above.Are they correct or <BR>not?Originally I
think if use different algorithms,the tunnel should not <BR>work.But the final
result is different.I have no idea in this <BR>question.Please help very
thank's<BR></FONT></DIV></FONT>
<DIV><FONT face=Verdana><FONT size=2>Best Regards,</FONT></FONT></DIV>
<DIV><FONT face=Verdana><FONT size=2>Ozai<BR></DIV></FONT></FONT></BODY></HTML>