[Openswan Users] openswan with only aes encryption
Foren
foren.titze at gmx.net
Fri Sep 24 19:34:30 CEST 2004
Andreas Steffen schrieb:
> It seems that the peer's first proposal is for 3DES
> and your box accepts this. If you want to restrict the
> chosen algorithm to AES then you must use the ! strict flag
> (exclamation mark) as in
>
> ike=aes128-sha,aes128-md5!
> esp=aes128-sha1,aes128-md5!
>
> Regards
>
> Andreas
>
> foren titze wrote:
>
>> hello
>>
>> i use openswan 1.0.7 at debain woody and it works fine with 3des.
>> ipsec is linked static too the kernel, no module.
>> now, the box is an p3 with 600 MHz and openswan uses 3des as
>> standard, this is too slow for me. I have only compiled in aes in the
>> kernel. see the picture, but ipsec don't use it.
>>
>> i have this in my ipsec.conf
>>
>> conn %default
>> dpdaction=clear
>> keylife=2h
>> rekeymargin=9m
>> keyingtries=3
>> disablearrivalcheck=no
>> type=tunnel
>> ike=aes128-sha,aes128-md5
>> esp=aes128-sha1,aes128-md5
>>
>> ipsec spi give me this:
>> esp0x37d14965 at 149.225.184.120 ESP_3DES_HMAC_MD5: dir=out
>> src=62.92.xxx.156 iv_bits=64bits
>> esp0x3d358274 at 62.92.xxx.156 ESP_3DES_HMAC_MD5: dir=in
>> src=149.225.184.120 iv_bits=64bits
>>
>> why ipsec uses only 3des and not aes?
>>
>> thx
>
>
> =======================================================================
> Andreas Steffen e-mail: andreas.steffen at strongsec.com
> strongSec GmbH home: http://www.strongsec.com
> Alter Zürichweg 20 phone: +41 1 730 80 64
> CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
> ==========================================[strong internet security]===
>
>
Thanks. It seems to work.
But, now my next problem. I connect from an WindowsXP Client and this
can't connect with aes. Is the only encryption 3des for windows?
thx
More information about the Users
mailing list