[Openswan Users] Using 1DES :(

Rajkumar S rajkumars at asianetindia.com
Tue Aug 30 22:33:11 CEST 2005 

Hi,

I am writing to this list after wracking my brain for past 36 hours :(

My objective is to connect a linux box to a pix vpn. The pix can only
support DES. So I downloaded super-freeswan-1.99.8 and compiled it with
linux-2.4.21.

My configuration file is

config setup
          interfaces=%defaultroute
          klipsdebug=all
          plutodebug=all
          plutoload=%search
          plutostart=%search
          uniqueids=yes

conn %default
          keyingtries=0
          disablearrivalcheck=no
          authby=secret
          leftrsasigkey=%dnsondemand
          rightrsasigkey=%dnsondemand

conn sample
          left=202.88.100.83
          leftsubnet=192.168.3.0/25
          leftnexthop=202.88.100.86
          right=202.88.101.13
          rightsubnet=13.1.1.0/24
          rightnexthop=202.88.101.1
          auto=add
          pfs=no
          keyexchange=ike
          ike=des-md5-56
          esp=des


I have ipsec_1des module loaded and DES algorithm is also loaded

000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=64, keysizemin=56,
keysizemax=56


  From the pluto logs:

pluto[1748]: | *received whack message
pluto[1748]: | from whack: got --esp=des
pluto[1748]: | alg_info_parse_str() ealg_buf=des aalg_buf=eklen=0  aklen=0
pluto[1748]: | enum_search_prefix () calling enum_search(0x80ae914,
"ESP_DES")
pluto[1748]: | parser_alg_info_add() ealg_getbyname("des")=2
pluto[1748]: | __alg_info_esp_add() ealg=2 aalg=1 cnt=1
pluto[1748]: | __alg_info_esp_add() ealg=2 aalg=2 cnt=2
pluto[1748]: | esp string values: 2_000-1, 2_000-2, flags=-strict
pluto[1748]: | from whack: got --ike=des-md5-56
pluto[1748]: | alg_info_parse_str() ealg_buf=des aalg_buf=md5eklen=0
aklen=56
pluto[1748]: | enum_search_prefix () calling enum_search(0x80af5f8,
"OAKLEY_DES")
pluto[1748]: | enum_search_ppfixi () calling enum_search(0x80af5f8,
"OAKLEY_DES_CBC")
pluto[1748]: | parser_alg_info_add() ealg_getbyname("des")=1
pluto[1748]: | enum_search_prefix () calling enum_search(0x80af674,
"OAKLEY_MD5")
pluto[1748]: | parser_alg_info_add() aalg_getbyname("md5")=1
pluto[1748]: | __alg_info_ike_add() ealg=1 aalg=1 modp_id=5, cnt=1
pluto[1748]: | __alg_info_ike_add() ealg=1 aalg=1 modp_id=2, cnt=2
pluto[1748]: | __alg_info_ike_add() ealg=1 aalg=1 modp_id=1, cnt=3
pluto[1748]: | ike string values: 1_000-1-5, 1_000-1-2, 1_000-1-1,
flags=-strict
pluto[1748]: | alg_info_addref() alg_info->ref_cnt=1
pluto[1748]: | alg_info_addref() alg_info->ref_cnt=1
pluto[1748]: added connection description "sample"
pluto[1748]: |
192.168.3.0/25===202.88.100.83---202.88.100.86...202.88.101.1---202.88.101.13===13.1.1.0/24
pluto[1748]: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL

It seems to me that ealg_getbyname is getting the data. but towads  the
end (after I have given ipsec auto --up sample)

pluto[1748]: | ike_alg_db_new() ike enc ealg=1 not present
pluto[1748]: "sample" #1: empty ISAKMP SA proposal to send (no
algorithms for ike selection?)

It fails to find the ealg=1. I am attaching the full barf as a zip file.

The cisco configs are like this:

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 3 authentication pre-share
isakmp policy 3 encryption des
isakmp policy 3 hash md5
isakmp policy 3 group 1
isakmp policy 3 lifetime 86400
isakmp policy 3 lifetime 86400
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

This is working fine and many cisco devices are peering to it. The share
password's length is 11 characters.

I will be very very greatfull if some one can help me to get this
working. for past two days I have been trying out every thing I can
think of and get from google. Any other alternate solution is also
welcome, I just want to connect to Pix :(

raj

-------------- next part --------------
A non-text attachment was scrubbed...
Name: barf.zip
Type: application/zip
Size: 13208 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20050830/b5b29f24/barf-0001.zip

More information about the Users mailing list