[Openswan Users] Re: How to enable AES algorithm for Openswan-2.3.0

Paul Wouters paul at xelerance.com
Sat Apr 16 13:59:59 CEST 2005


On Sat, 16 Apr 2005, mohan chandra wrote:

Please use the mailinglist for questions about openswan.

Please read the man page. authby cannot be 'esp' or 'ah'. It has to be
'secret' or 'rsasig'. Please read your logfiles more carefully at
openswan startup, since these errors are reported.


Paul
 
> Date: Sat, 16 Apr 2005 06:34:28 +0100 (BST)
> From: mohan chandra <mohanchandra_01 at yahoo.co.in>
> To: paul at xelerance.com
> Subject: How to enable AES algorithm for Openswan-2.3.0
> 
> Hello,
> 
> 
> I have tried to establish automatic connection for
> openswan implemenation, but the connection establishes
> only for the ISAKMP SA (Main-mode) and there it stops.
>  It is not establishing the IPSec SA.
> 
> Only manual connection is working for ESP with
> 3des-md5-96 and 3des-sha1-96 algorithms, but for the
> same manual connection with aes-md5-96 is not
> enabling.
> 
> Even I could not able to make connection for AH alone
> , it is also giving some error like:
> 
> [root at mohan root]# ipsec manual --up ah-connect
> ipsec manual: fatal error in "ah-connect":
> (/etc/ipsec.conf, line 106) unknown parameter name
> "ah"
> 
> So, please clearly specify what to do for Automatic
> connection and for enabling AES algo.
> 
> Plz., help me to enable the connection for
> openswan systems.
> 
> Mohan
>  
> 
> #for 128-bit key length
> > [root at mohan root]# ipsec manual --up host-to-host
> > /usr/local/libexec/ipsec/spi --label host-to-host:
> > invalid encryption keylen=128, must be between 0 and
> 0
> > bits
> > 
> > #if we give 256-bit keylength it is giving the
> error:
> > [root at mohan root]# ipsec manual --up host-to-host
> > /usr/local/libexec/ipsec/spi --label host-to-host:
> > invalid encryption keylen=256, must be between 0 and
> 0
> > bits
> --- pw at xelerance.com wrote:
> > On Thu, 14 Apr 2005, mohan chandra wrote:
> > 
> > > I am trying to establish ipsec connection between
> > two
> > > linux systems and I also wanted to test the
> > connection
> > > with different ciphers & auth algorithms and with
> > diff
> > > modes.
> > > 
> > > I have installed IPSec Openswan-2.3.0 on my Linux
> > > system (left) (Redhat Release-9, Kernel 2.4.20-8
> > on an
> > > i686) and also same for the other system (right).
> > > 
> > > 
> > > ipsec.conf has the following details:
> > 
> > We have no test cases for manual keying using the
> > ipsec.conf file. 
> > You could try and use the 'ipsec spi' command
> > directly....
> > 
> > Paul
> >   
> > > # basic configuration
> > > config setup
> > >    	interfaces="ipsec0=eth0"
> > > 	# Debug-logging controls:  "none" for (almost)
> > none,
> > > "all" for lots.
> > > 	klipsdebug=none
> > > 	plutodebug=none
> > > 	uniqueids=yes
> > > conn %default
> > > 	keyingtries=0
> > > 	authby=esp
> > > 
> > > conn block
> > > 	auto=ignore
> > > 
> > > conn private
> > > 	auto=add
> > > 
> > > conn private-or-clear
> > > 	auto=ignore
> > > 
> > > conn clear-or-private
> > > 	auto=ignore
> > > 
> > > conn clear
> > > 	auto=ignore
> > > 
> > > conn packetdefault
> > > 	auto=ignore
> > > 
> > > # For manual connection
> > > conn host-to-host
> > > 	left=172.20.17.85
> > > 	leftnexthop=172.20.17.1
> > > 	leftid=@bob
> > > 	right=172.20.17.84
> > > 	rightnexthop=172.20.17.1
> > > 	rightid=@alice
> > > 	type=tunnel
> > > 	spi=0x301
> > > 	esp=aes128-sha1
> > > 	espenckey=0x12345678_9abcdef8_2468ace1_13579bdf
> > >
> >
> espauthkey=0x12345671_abcdef24_01234edf_efdcba65_12345678
> > > 	
> > > conn left-to-right
> > > 	left=172.20.17.85
> > > 	leftnexthop=172.20.17.1
> > > 	leftid=@bob
> > > 	right=172.20.17.84
> > > 	rightnexthop=172.20.17.1
> > > 	rightid=@alice
> > > 	type=tunnel
> > > 	spi=0x304
> > > 	esp=3des-sha1-96
> > >
> >
> espenckey=0x12345678_9abcdef8_2468ace1_13579bdf_2468ace1_13579bdf
> > >         
> > >
> >
> espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf_12342468
> > > 
> > > We are using these two connections for
> > establishing
> > > manual connection.
> > > connection left-to-right works fine for 3des but 
> > > host-to-host with aes algo. is giving the
> > following
> > > errors:
> > > 
> > > #for 128-bit key length
> > > [root at mohan root]# ipsec manual --up host-to-host
> > > /usr/local/libexec/ipsec/spi --label host-to-host:
> > > invalid encryption keylen=128, must be between 0
> > and 0
> > > bits
> > > 
> > > #if we give 256-bit keylength it is giving the
> > error:
> > > [root at mohan root]# ipsec manual --up host-to-host
> > > /usr/local/libexec/ipsec/spi --label host-to-host:
> > > invalid encryption keylen=256, must be between 0
> > and 0
> > > bits
> > > 
> > > So plz., specify what to do for making the
> > connection
> > > to work properly.
> > > 
> > > Specify clearly whether I need to add any other
> > fields
> > > or shall I need to change any field values..
> > >  
> > > I am also attaching ipsec.conf file along with
> > this
> > > mail.
> > > 
> > > Thanx.
> > > 
> > > Mohanchandra
> > > 
> > >
> 
> ________________________________________________________________________
> Yahoo! India Matrimony: Find your life partner online
> Go to: http://yahoo.shaadi.com/india-matrimony
> 



More information about the Users mailing list