[Openswan Users] Using 1DES :(
Rajkumar S
rajkumars at asianetindia.com
Tue Aug 30 22:33:11 CEST 2005
Hi,
I am writing to this list after wracking my brain for past 36 hours :(
My objective is to connect a linux box to a pix vpn. The pix can only
support DES. So I downloaded super-freeswan-1.99.8 and compiled it with
linux-2.4.21.
My configuration file is
config setup
interfaces=%defaultroute
klipsdebug=all
plutodebug=all
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=0
disablearrivalcheck=no
authby=secret
leftrsasigkey=%dnsondemand
rightrsasigkey=%dnsondemand
conn sample
left=202.88.100.83
leftsubnet=192.168.3.0/25
leftnexthop=202.88.100.86
right=202.88.101.13
rightsubnet=13.1.1.0/24
rightnexthop=202.88.101.1
auto=add
pfs=no
keyexchange=ike
ike=des-md5-56
esp=des
I have ipsec_1des module loaded and DES algorithm is also loaded
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=64, keysizemin=56,
keysizemax=56
From the pluto logs:
pluto[1748]: | *received whack message
pluto[1748]: | from whack: got --esp=des
pluto[1748]: | alg_info_parse_str() ealg_buf=des aalg_buf=eklen=0 aklen=0
pluto[1748]: | enum_search_prefix () calling enum_search(0x80ae914,
"ESP_DES")
pluto[1748]: | parser_alg_info_add() ealg_getbyname("des")=2
pluto[1748]: | __alg_info_esp_add() ealg=2 aalg=1 cnt=1
pluto[1748]: | __alg_info_esp_add() ealg=2 aalg=2 cnt=2
pluto[1748]: | esp string values: 2_000-1, 2_000-2, flags=-strict
pluto[1748]: | from whack: got --ike=des-md5-56
pluto[1748]: | alg_info_parse_str() ealg_buf=des aalg_buf=md5eklen=0
aklen=56
pluto[1748]: | enum_search_prefix () calling enum_search(0x80af5f8,
"OAKLEY_DES")
pluto[1748]: | enum_search_ppfixi () calling enum_search(0x80af5f8,
"OAKLEY_DES_CBC")
pluto[1748]: | parser_alg_info_add() ealg_getbyname("des")=1
pluto[1748]: | enum_search_prefix () calling enum_search(0x80af674,
"OAKLEY_MD5")
pluto[1748]: | parser_alg_info_add() aalg_getbyname("md5")=1
pluto[1748]: | __alg_info_ike_add() ealg=1 aalg=1 modp_id=5, cnt=1
pluto[1748]: | __alg_info_ike_add() ealg=1 aalg=1 modp_id=2, cnt=2
pluto[1748]: | __alg_info_ike_add() ealg=1 aalg=1 modp_id=1, cnt=3
pluto[1748]: | ike string values: 1_000-1-5, 1_000-1-2, 1_000-1-1,
flags=-strict
pluto[1748]: | alg_info_addref() alg_info->ref_cnt=1
pluto[1748]: | alg_info_addref() alg_info->ref_cnt=1
pluto[1748]: added connection description "sample"
pluto[1748]: |
192.168.3.0/25===202.88.100.83---202.88.100.86...202.88.101.1---202.88.101.13===13.1.1.0/24
pluto[1748]: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL
It seems to me that ealg_getbyname is getting the data. but towads the
end (after I have given ipsec auto --up sample)
pluto[1748]: | ike_alg_db_new() ike enc ealg=1 not present
pluto[1748]: "sample" #1: empty ISAKMP SA proposal to send (no
algorithms for ike selection?)
It fails to find the ealg=1. I am attaching the full barf as a zip file.
The cisco configs are like this:
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 3 authentication pre-share
isakmp policy 3 encryption des
isakmp policy 3 hash md5
isakmp policy 3 group 1
isakmp policy 3 lifetime 86400
isakmp policy 3 lifetime 86400
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
This is working fine and many cisco devices are peering to it. The share
password's length is 11 characters.
I will be very very greatfull if some one can help me to get this
working. for past two days I have been trying out every thing I can
think of and get from google. Any other alternate solution is also
welcome, I just want to connect to Pix :(
raj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: barf.zip
Type: application/zip
Size: 13208 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20050830/b5b29f24/barf-0001.zip
More information about the Users
mailing list