[Openswan Users] Openswan <--> HP-UX success stories?

Jimmie Mayfield mayfield+openswan at sackheads.org
Tue Jan 11 14:16:06 CET 2005 

Hi.  For the last few years, I've used Freeswan and Openswan to 
do simple PSK transport mode IPSec for Linux<=>AIX and Linux<=>Win2K.
Recently I received an HP-UX 11i machine for a project and I'd like to
get Linux<=>HPUX running as well.  So far, I've had no luck getting 
Freeswan nor Openswan to play nicely with HP's IPSec/9000 implementation.
On the HP side, I've set up an IKE policy for 3DES, SHA1 and Group 2 DH
using the following:

   ipsec_config add ike kaon -remote XX.XX.XX.XX -auth PSK -group 2 \
      -hash SHA1 -enc 3DES -life 1800

On the Linux side, I've specified 3des-sha1-modp1024 as the IKE algorithms:

   conn %default
        auth=esp
        authby=secret
        disablearrivalcheck=no
        keyingtries=0
        keylife=1800s
        ikelifetime=1800s
        pfs=yes

   conn kaon-hadron
       left=kaon.XX.XX.XX
       leftnexthop=%defaultroute
       right=hadron.XX.XX.XX
       rightnexthop=%defaultroute
       auto=start
       compress=no
       esp=aes128-sha1
       ike=3des-sha1-modp1024
       pfs=no
       type=transport


However, the initial handshake fails.  On the HP side, the syslog file shows
the following:

secauditd[6144]: IPSEC : Level : 2 Event : atts ENCR_ALG:3DES_CBC is not
   acceptable, Date : Mon Jan 10 20:31:35 2005
secauditd[6144]: IPSEC : Level : 2 Event : Rejected Transform ID: KEY_IKE,
   Date : Mon Jan 10 20:31:35 2005
secauditd[6144]: IPSEC : Level : 1 Event : Authentication failed, Date :
   Mon Jan 10 20:31:36 2005

If I'm parsing this correctly, it's rejecting 3DES as the IKE encryption
algorithm (even though the manpage claims it's supported).  The only other
IKE encryption algorithm supported by HP's IKE is plain DES which of course
isn't supported by Freeswan or Openswan.

Since my Openswan configuration is currently working with AIX and Win2K, I 
have to assume that this is an HP problem (or perhaps I'm missing something
obvious).  Still, I posted here in hopes that somebody reading has succeeded
in getting Openswan and HP-UX to talk to each other.

Linux:   2.4.28
Openswan 2.3.0  (also fails with Freeswan 1.99)

HP-UX:  11.11
IPSec:  J256AA  A.02.00

Any clues would be appreciated.

   Jimmie

-- 
Jimmie Mayfield  
http://www.sackheads.org/mayfield       email: mayfield+openswan at sackheads.org
My mail provider does not welcome UCE -- http://www.sackheads.org/uce

More information about the Users mailing list