[Openswan dev] [Openswan Users] Trying to get Openswan working Ubuntu to Cisco ASA 5510

[Paul Wouters]

On Fri, 12 Mar 2010, Michael H. Warfield wrote:

> This is the complete set of 24 proposals from vpnc
>
>  0 aes256-sha1-mod1024     XAUTHInitPreShared
>  1 aes256-md5-mod1024      XAUTHInitPreShared
>  2 aes192-sha1-mod1024     XAUTHInitPreShared
>  3 aes192-md5-mod1024      XAUTHInitPreShared
> * 4 aes128-sha1-mod1024     XAUTHInitPreShared
>  5 aes128-md5-mod1024      XAUTHInitPreShared
>  6 3des-sha1-mod1024       XAUTHInitPreShared
>  7 3des-md5-mod1024        XAUTHInitPreShared
>  8 des-sha1-mod1024        XAUTHInitPreShared
>  9 des-md5-mod1024         XAUTHInitPreShared
> 10 RESERVED-sha1-mod1024   XAUTHInitPreShared
> 11 RESERVED-md5-mod1024    XAUTHInitPreShared

Can you obtain the proposal numbers for "RESERVED"? perhaps by
initiating vpnc against a pluto with plutodebug=all? It might
be that our ietf_constants.h needs updating for a new cipher?
(perhaps this is camellia?)

Which ones do we send?

> 12 aes256-sha1-mod1024     PSK
> 13 aes256-md5-mod1024      PSK

[...]

Not sure about these. Without xauth perhaps?

>> So currently ike=aes works, but ike=sha1 or ike=modp1024 does not. Ideally,
>> that would be fixed.
>
> Cool.

>> I'd say that's prob easier then the proposal code :)
>
> Before, I would have agreed.  Now having done it, this was a snap.  I
> really hope you're right.  That must mean it'll be a walk in the park
> for you.

Except the Rolling Stones were wrong. Time is never on my side :P

>>> That patch is attached here for this.  This makes multiple proposals in
>>> aggressive mode work for me, even if it does make the config a bit ugly.
>>>
>>> Diff's are against 2.6.24 release code.  I can rebase if desired.
>
>> I have not yet looked at it, but will try to merge it in tomorrow.
>
> Very good.

Paul