[Openswan dev] [Openswan Users] Trying to get Openswan working Ubuntu to Cisco ASA 5510
paul at xelerance.com
Fri Mar 12 09:49:12 EST 2010
On Fri, 12 Mar 2010, Michael H. Warfield wrote:
> This is the complete set of 24 proposals from vpnc
> 0 aes256-sha1-mod1024 XAUTHInitPreShared
> 1 aes256-md5-mod1024 XAUTHInitPreShared
> 2 aes192-sha1-mod1024 XAUTHInitPreShared
> 3 aes192-md5-mod1024 XAUTHInitPreShared
> * 4 aes128-sha1-mod1024 XAUTHInitPreShared
> 5 aes128-md5-mod1024 XAUTHInitPreShared
> 6 3des-sha1-mod1024 XAUTHInitPreShared
> 7 3des-md5-mod1024 XAUTHInitPreShared
> 8 des-sha1-mod1024 XAUTHInitPreShared
> 9 des-md5-mod1024 XAUTHInitPreShared
> 10 RESERVED-sha1-mod1024 XAUTHInitPreShared
> 11 RESERVED-md5-mod1024 XAUTHInitPreShared
Can you obtain the proposal numbers for "RESERVED"? perhaps by
initiating vpnc against a pluto with plutodebug=all? It might
be that our ietf_constants.h needs updating for a new cipher?
(perhaps this is camellia?)
Which ones do we send?
> 12 aes256-sha1-mod1024 PSK
> 13 aes256-md5-mod1024 PSK
Not sure about these. Without xauth perhaps?
>> So currently ike=aes works, but ike=sha1 or ike=modp1024 does not. Ideally,
>> that would be fixed.
>> I'd say that's prob easier then the proposal code :)
> Before, I would have agreed. Now having done it, this was a snap. I
> really hope you're right. That must mean it'll be a walk in the park
> for you.
Except the Rolling Stones were wrong. Time is never on my side :P
>>> That patch is attached here for this. This makes multiple proposals in
>>> aggressive mode work for me, even if it does make the config a bit ugly.
>>> Diff's are against 2.6.24 release code. I can rebase if desired.
>> I have not yet looked at it, but will try to merge it in tomorrow.
> Very good.
More information about the Dev