[Openswan Users] Re: How to enable AES algorithm for Openswan-2.3.0

pw at xelerance.com pw at xelerance.com
Fri Apr 15 15:10:58 CEST 2005 

On Thu, 14 Apr 2005, mohan chandra wrote:

> I am trying to establish ipsec connection between two
> linux systems and I also wanted to test the connection
> with different ciphers & auth algorithms and with diff
> modes.
> 
> I have installed IPSec Openswan-2.3.0 on my Linux
> system (left) (Redhat Release-9, Kernel 2.4.20-8 on an
> i686) and also same for the other system (right).
> 
> 
> ipsec.conf has the following details:

We have no test cases for manual keying using the ipsec.conf file. 
You could try and use the 'ipsec spi' command directly....

Paul
  
> # basic configuration
> config setup
>    	interfaces="ipsec0=eth0"
> 	# Debug-logging controls:  "none" for (almost) none,
> "all" for lots.
> 	klipsdebug=none
> 	plutodebug=none
> 	uniqueids=yes
> conn %default
> 	keyingtries=0
> 	authby=esp
> 
> conn block
> 	auto=ignore
> 
> conn private
> 	auto=add
> 
> conn private-or-clear
> 	auto=ignore
> 
> conn clear-or-private
> 	auto=ignore
> 
> conn clear
> 	auto=ignore
> 
> conn packetdefault
> 	auto=ignore
> 
> # For manual connection
> conn host-to-host
> 	left=172.20.17.85
> 	leftnexthop=172.20.17.1
> 	leftid=@bob
> 	right=172.20.17.84
> 	rightnexthop=172.20.17.1
> 	rightid=@alice
> 	type=tunnel
> 	spi=0x301
> 	esp=aes128-sha1
> 	espenckey=0x12345678_9abcdef8_2468ace1_13579bdf
> espauthkey=0x12345671_abcdef24_01234edf_efdcba65_12345678
> 	
> conn left-to-right
> 	left=172.20.17.85
> 	leftnexthop=172.20.17.1
> 	leftid=@bob
> 	right=172.20.17.84
> 	rightnexthop=172.20.17.1
> 	rightid=@alice
> 	type=tunnel
> 	spi=0x304
> 	esp=3des-sha1-96
> espenckey=0x12345678_9abcdef8_2468ace1_13579bdf_2468ace1_13579bdf
>         
> espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf_12342468
> 
> We are using these two connections for establishing
> manual connection.
> connection left-to-right works fine for 3des but 
> host-to-host with aes algo. is giving the following
> errors:
> 
> #for 128-bit key length
> [root at mohan root]# ipsec manual --up host-to-host
> /usr/local/libexec/ipsec/spi --label host-to-host:
> invalid encryption keylen=128, must be between 0 and 0
> bits
> 
> #if we give 256-bit keylength it is giving the error:
> [root at mohan root]# ipsec manual --up host-to-host
> /usr/local/libexec/ipsec/spi --label host-to-host:
> invalid encryption keylen=256, must be between 0 and 0
> bits
> 
> So plz., specify what to do for making the connection
> to work properly.
> 
> Specify clearly whether I need to add any other fields
> or shall I need to change any field values..
>  
> I am also attaching ipsec.conf file along with this
> mail.
> 
> Thanx.
> 
> Mohanchandra
> 
> ________________________________________________________________________
> Yahoo! India Matrimony: Find your life partner online
> Go to: http://yahoo.shaadi.com/india-matrimony

More information about the Users mailing list