[Openswan Users] OpenSwan 2.3.1 implements AES on Phase 1?

Steve steve at wanalan.com
Mon Jul 18 15:37:09 CEST 2005


Hi Guys,

 From what I understand the openswan only support AES 128 bits in IKE as 
u can see from the "ipsec auto status"

000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=192

If my assumption is valid then your Cisco PIX Phase 1 settings of AES256 
will not able to talk to openswan.

"ike=" do works well in my configuration. I'm using openswan 2.3.1 too. 
Check if the indent is correct?

Regards,
Steve

Cassio Bobsin Machado wrote:

>Paul,
>
>When I insert this line, this connection is not even started, like
>there was a parsing error. In fact, looking at the "man ipsec.conf"
>this option "ike=" is not even mentioned. It seems like it was
>discontinued in this last version of OpenSwan...
>
>I have all logs turned on...
>   klipsdebug=all
>   plutodebug=all
>...and in more than 100Mbytes of log (5 days) there is no presence of
>any "aes" string.
>
>I've read a lot of documentation, and as far as I know, IKE should
>prepare many proposals to send to the server (along with the PSK) so
>they could choose the that fits both. Problem is that it is not
>preparing the proposals with AES, and I can't set anything with
>"ike="... this is a bit frustrating... :-(
>
>Do you have version 2.3.1 with this parameter being used?
>
>
>Regards,
>
>Cassio Bobsin Machado
>
>2005/7/15, Paul Wouters <paul at xelerance.com>:
>  
>
>>On Fri, 15 Jul 2005, Cassio Bobsin Machado wrote:
>>
>>    
>>
>>>I'm trying to connect with a CiscoPIX that requires AES-256, SHA1,
>>>DHG2 for Phase 1 and, after some log analisys, I've reached a problem.
>>>
>>>When preparing ISAKMP Proposal, OpenSwan does not try to make any
>>>combination with AES, only tries with 3DES for encryption.
>>>
>>>I couldn't find in any documentation from OpenSwan (they're a bit
>>>confusing, mixing old FreeSwan info) that covers this issue.
>>>
>>>I tried to force with parameters like "ike=aes" or a dozen of other
>>>variations but, when I try any of these, it simply does not parse
>>>IPSEC.CONF.
>>>      
>>>
>>Can you try using ike=aes256 and tell me if that fixes your problem?
>>
>>Paul
>>
>>    
>>
>_______________________________________________
>Users mailing list
>Users at openswan.org
>http://lists.openswan.org/mailman/listinfo/users
>
>
>  
>



More information about the Users mailing list