[Openswan Users] openswan with only aes encryption

Andreas Steffen andreas.steffen at strongsec.net
Fri Sep 24 18:30:55 CEST 2004


It seems that the peer's first proposal is for 3DES
and your box accepts this. If you want to restrict the
chosen algorithm to AES then you must use the ! strict flag
(exclamation mark) as in

       ike=aes128-sha,aes128-md5!
       esp=aes128-sha1,aes128-md5!

Regards

Andreas

foren titze wrote:
> hello
> 
> i use openswan 1.0.7 at debain woody and it works fine with 3des. 
> ipsec is linked static too the kernel, no module. 
> 
> now, the box is an p3 with 600 MHz and openswan uses 3des as standard, this is 
> too slow for me. 
> I have only compiled in aes in the kernel. see the picture, but ipsec don't 
> use it.
> 
> i have this in my ipsec.conf
> 
> conn %default
>      dpdaction=clear
>      keylife=2h
>      rekeymargin=9m
>      keyingtries=3
>      disablearrivalcheck=no
>      type=tunnel
>      ike=aes128-sha,aes128-md5
>      esp=aes128-sha1,aes128-md5
> 
> ipsec spi give me this: 
> 
> esp0x37d14965 at 149.225.184.120 ESP_3DES_HMAC_MD5: dir=out src=62.92.xxx.156 
> iv_bits=64bits
> esp0x3d358274 at 62.92.xxx.156 ESP_3DES_HMAC_MD5: dir=in  src=149.225.184.120 
> iv_bits=64bits 
> 
> 
> why ipsec uses only 3des and not aes?
> 
> thx

=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===


More information about the Users mailing list