[Openswan Users] OpenSwan 2.3.1 implements AES on Phase 1?

Cassio Bobsin Machado cassiobm at gmail.com
Fri Jul 15 19:43:14 CEST 2005


Paul,

When I insert this line, this connection is not even started, like
there was a parsing error. In fact, looking at the "man ipsec.conf"
this option "ike=" is not even mentioned. It seems like it was
discontinued in this last version of OpenSwan...

I have all logs turned on...
   klipsdebug=all
   plutodebug=all
...and in more than 100Mbytes of log (5 days) there is no presence of
any "aes" string.

I've read a lot of documentation, and as far as I know, IKE should
prepare many proposals to send to the server (along with the PSK) so
they could choose the that fits both. Problem is that it is not
preparing the proposals with AES, and I can't set anything with
"ike="... this is a bit frustrating... :-(

Do you have version 2.3.1 with this parameter being used?


Regards,

Cassio Bobsin Machado

2005/7/15, Paul Wouters <paul at xelerance.com>:
> On Fri, 15 Jul 2005, Cassio Bobsin Machado wrote:
> 
> > I'm trying to connect with a CiscoPIX that requires AES-256, SHA1,
> > DHG2 for Phase 1 and, after some log analisys, I've reached a problem.
> >
> > When preparing ISAKMP Proposal, OpenSwan does not try to make any
> > combination with AES, only tries with 3DES for encryption.
> >
> > I couldn't find in any documentation from OpenSwan (they're a bit
> > confusing, mixing old FreeSwan info) that covers this issue.
> >
> > I tried to force with parameters like "ike=aes" or a dozen of other
> > variations but, when I try any of these, it simply does not parse
> > IPSEC.CONF.
> 
> Can you try using ike=aes256 and tell me if that fixes your problem?
> 
> Paul
>


More information about the Users mailing list