[Openswan dev] [Openswan Users] Trying to get Openswan working Ubuntu to Cisco ASA 5510
Michael H. Warfield
mhw at WittsEnd.com
Fri Mar 12 10:06:49 EST 2010
On Fri, 2010-03-12 at 09:49 -0500, Paul Wouters wrote:
> On Fri, 12 Mar 2010, Michael H. Warfield wrote:
> > This is the complete set of 24 proposals from vpnc
> >
> > 0 aes256-sha1-mod1024 XAUTHInitPreShared
> > 1 aes256-md5-mod1024 XAUTHInitPreShared
> > 2 aes192-sha1-mod1024 XAUTHInitPreShared
> > 3 aes192-md5-mod1024 XAUTHInitPreShared
> > * 4 aes128-sha1-mod1024 XAUTHInitPreShared
> > 5 aes128-md5-mod1024 XAUTHInitPreShared
> > 6 3des-sha1-mod1024 XAUTHInitPreShared
> > 7 3des-md5-mod1024 XAUTHInitPreShared
> > 8 des-sha1-mod1024 XAUTHInitPreShared
> > 9 des-md5-mod1024 XAUTHInitPreShared
> > 10 RESERVED-sha1-mod1024 XAUTHInitPreShared
> > 11 RESERVED-md5-mod1024 XAUTHInitPreShared
> Can you obtain the proposal numbers for "RESERVED"? perhaps by
> initiating vpnc against a pluto with plutodebug=all? It might
> be that our ietf_constants.h needs updating for a new cipher?
> (perhaps this is camellia?)
I had saved the trace from vpnc and was using wireshark to look at it.
Here's the details from each of those last two proposals.
Transform payload # 10
Next payload: Transform (3)
Payload length: 36
Transform number: 10
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): RESERVED (0)
Hash-Algorithm (2): SHA (2)
Group-Description (4): Alternate 1024-bit MODP group
(2)Authentication-Method (3): XAUTHInitPreShared (65001)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (2147483)
Transform payload # 11
Next payload: Transform (3)
Payload length: 36
Transform number: 11
Transform ID: KEY_IKE (1)
Encryption-Algorithm (1): RESERVED (0)
Hash-Algorithm (2): MD5 (1)
Group-Description (4): Alternate 1024-bit MODP group
(2)Authentication-Method (3): XAUTHInitPreShared (65001)
Life-Type (11): Seconds (1)
Life-Duration (12): Duration-Value (2147483)
Ok... That's just weird. That doesn't make any sense to be proposing
encryption algorithm 0. That really is reserved. I think that must be
a bug in vpnc but I'll have to go back to the sources to double check
that one. Maybe there's a reason and they have it commented.
> Which ones do we send?
0 - 7 match the ones we send with the ike string I sent in the earlier
message.
> > 12 aes256-sha1-mod1024 PSK
> > 13 aes256-md5-mod1024 PSK
> [...]
> Not sure about these. Without xauth perhaps?
That would kinda be my guess too, yeah. Unless I actually caught a
working exchanged that used one of them, I don't know. Maybe the
sources will give me a clue there as well.
> >> So currently ike=aes works, but ike=sha1 or ike=modp1024 does not. Ideally,
> >> that would be fixed.
> >
> > Cool.
> >> I'd say that's prob easier then the proposal code :)
> >
> > Before, I would have agreed. Now having done it, this was a snap. I
> > really hope you're right. That must mean it'll be a walk in the park
> > for you.
>
> Except the Rolling Stones were wrong. Time is never on my side :P
I hear ya. You and me both.
I'm going to start looking into those stray SA on --down and stray IP
addresses on unload problems. They shouldn't be too hard to find but,
as you say...
> >>> That patch is attached here for this. This makes multiple proposals in
> >>> aggressive mode work for me, even if it does make the config a bit ugly.
> >>>
> >>> Diff's are against 2.6.24 release code. I can rebase if desired.
> >
> >> I have not yet looked at it, but will try to merge it in tomorrow.
> >
> > Very good.
>
> Paul
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/dev/attachments/20100312/1d3092c3/attachment.bin
More information about the Dev
mailing list