[Openswan Users] openswan with only aes encryption

Andreas Steffen andreas.steffen at strongsec.net
Fri Sep 24 19:43:30 CEST 2004 

Foren wrote:

> Andreas Steffen schrieb:
> 
>> It seems that the peer's first proposal is for 3DES
>> and your box accepts this. If you want to restrict the
>> chosen algorithm to AES then you must use the ! strict flag
>> (exclamation mark) as in
>>
>>       ike=aes128-sha,aes128-md5!
>>       esp=aes128-sha1,aes128-md5!
>>
>> Regards
>>
>> Andreas
>>
>> foren titze wrote:
>>
>>> hello
>>>
>>> i use openswan 1.0.7 at debain woody and it works fine with 3des. 
>>> ipsec is linked static too the kernel, no module.
>>> now, the box is an p3 with 600 MHz and openswan uses 3des as 
>>> standard, this is too slow for me. I have only compiled in aes in the 
>>> kernel. see the picture, but ipsec don't use it.
>>>
>>> i have this in my ipsec.conf
>>>
>>> conn %default
>>>      dpdaction=clear
>>>      keylife=2h
>>>      rekeymargin=9m
>>>      keyingtries=3
>>>      disablearrivalcheck=no
>>>      type=tunnel
>>>      ike=aes128-sha,aes128-md5
>>>      esp=aes128-sha1,aes128-md5
>>>
>>> ipsec spi give me this:
>>> esp0x37d14965 at 149.225.184.120 ESP_3DES_HMAC_MD5: dir=out 
>>> src=62.92.xxx.156 iv_bits=64bits
>>> esp0x3d358274 at 62.92.xxx.156 ESP_3DES_HMAC_MD5: dir=in  
>>> src=149.225.184.120 iv_bits=64bits
>>>
>>> why ipsec uses only 3des and not aes?
>>>
>>> thx
>>
>>
>>
>> =======================================================================
>> Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
>> strongSec GmbH                    home:   http://www.strongsec.com
>> Alter Zürichweg 20                phone:  +41 1 730 80 64
>> CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
>> ==========================================[strong internet security]===
>>
>>
> Thanks. It seems to work.
> But, now my next problem. I connect from an WindowsXP Client and this 
> can't connect with aes. Is the only encryption 3des for windows?
> 
> thx

Unfortunately the native WindowsXP IPsec Stack does not support AES.
Only third party VPN clients (SafeNet SoftRemote, TheGreenBow, NCP, etc.)
do.

Andreas

=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

More information about the Users mailing list