[Openswan Users] OpenSwan 2.3.1 implements AES on Phase 1?
steve at wanalan.com
Mon Jul 18 15:37:09 CEST 2005
From what I understand the openswan only support AES 128 bits in IKE as
u can see from the "ipsec auto status"
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
If my assumption is valid then your Cisco PIX Phase 1 settings of AES256
will not able to talk to openswan.
"ike=" do works well in my configuration. I'm using openswan 2.3.1 too.
Check if the indent is correct?
Cassio Bobsin Machado wrote:
>When I insert this line, this connection is not even started, like
>there was a parsing error. In fact, looking at the "man ipsec.conf"
>this option "ike=" is not even mentioned. It seems like it was
>discontinued in this last version of OpenSwan...
>I have all logs turned on...
>...and in more than 100Mbytes of log (5 days) there is no presence of
>any "aes" string.
>I've read a lot of documentation, and as far as I know, IKE should
>prepare many proposals to send to the server (along with the PSK) so
>they could choose the that fits both. Problem is that it is not
>preparing the proposals with AES, and I can't set anything with
>"ike="... this is a bit frustrating... :-(
>Do you have version 2.3.1 with this parameter being used?
>Cassio Bobsin Machado
>2005/7/15, Paul Wouters <paul at xelerance.com>:
>>On Fri, 15 Jul 2005, Cassio Bobsin Machado wrote:
>>>I'm trying to connect with a CiscoPIX that requires AES-256, SHA1,
>>>DHG2 for Phase 1 and, after some log analisys, I've reached a problem.
>>>When preparing ISAKMP Proposal, OpenSwan does not try to make any
>>>combination with AES, only tries with 3DES for encryption.
>>>I couldn't find in any documentation from OpenSwan (they're a bit
>>>confusing, mixing old FreeSwan info) that covers this issue.
>>>I tried to force with parameters like "ike=aes" or a dozen of other
>>>variations but, when I try any of these, it simply does not parse
>>Can you try using ike=aes256 and tell me if that fixes your problem?
>Users mailing list
>Users at openswan.org
More information about the Users