[Openswan Users] Openswan <--> HP-UX success stories?
mayfield+openswan at sackheads.org
Tue Jan 11 14:16:06 CET 2005
Hi. For the last few years, I've used Freeswan and Openswan to
do simple PSK transport mode IPSec for Linux<=>AIX and Linux<=>Win2K.
Recently I received an HP-UX 11i machine for a project and I'd like to
get Linux<=>HPUX running as well. So far, I've had no luck getting
Freeswan nor Openswan to play nicely with HP's IPSec/9000 implementation.
On the HP side, I've set up an IKE policy for 3DES, SHA1 and Group 2 DH
using the following:
ipsec_config add ike kaon -remote XX.XX.XX.XX -auth PSK -group 2 \
-hash SHA1 -enc 3DES -life 1800
On the Linux side, I've specified 3des-sha1-modp1024 as the IKE algorithms:
However, the initial handshake fails. On the HP side, the syslog file shows
secauditd: IPSEC : Level : 2 Event : atts ENCR_ALG:3DES_CBC is not
acceptable, Date : Mon Jan 10 20:31:35 2005
secauditd: IPSEC : Level : 2 Event : Rejected Transform ID: KEY_IKE,
Date : Mon Jan 10 20:31:35 2005
secauditd: IPSEC : Level : 1 Event : Authentication failed, Date :
Mon Jan 10 20:31:36 2005
If I'm parsing this correctly, it's rejecting 3DES as the IKE encryption
algorithm (even though the manpage claims it's supported). The only other
IKE encryption algorithm supported by HP's IKE is plain DES which of course
isn't supported by Freeswan or Openswan.
Since my Openswan configuration is currently working with AIX and Win2K, I
have to assume that this is an HP problem (or perhaps I'm missing something
obvious). Still, I posted here in hopes that somebody reading has succeeded
in getting Openswan and HP-UX to talk to each other.
Openswan 2.3.0 (also fails with Freeswan 1.99)
IPSec: J256AA A.02.00
Any clues would be appreciated.
http://www.sackheads.org/mayfield email: mayfield+openswan at sackheads.org
My mail provider does not welcome UCE -- http://www.sackheads.org/uce
More information about the Users