[Openswan Users] OpenSwan 2.3.1 implements AES on Phase 1?

Cassio Bobsin Machado cassiobm at gmail.com
Mon Jul 18 11:07:16 CEST 2005 

Steve, indentation is correct... I retyped it almost a hundred
times... :-( ... It does not accept anything that looks like "ike="...

conn tim
        auto=start
        type=tunnel
        #LEFT:Human
        left=200.192.***.***
        leftnexthop=%defaultroute
        leftsubnet=200.192.***.***/32
        #RIGHT:Tim
        right=200.179.***.***
        #rightnexthop=
        rightsubnet=200.179.***.***/24
        authby=secret
        keyexchange=ike
        ike=aes
        auth=esp
        esp=aes256-sha1-modp1024

Obs: please remember that I tried every possible combination of aes,
aes128, aes256, sha, sha1, modp1024 in "ike="... Whenever I insert a
line containing "ike=" it does not parse this connection.

In fact, my version its not trying even AES128 in negotiation. Only 3DES.

If I downgrade to an earlier OpenSwan version, do you guys think that
would work? Do you recommend any specific version?

Otherwise, is there another free VPN software that could be installed
to make such a connection?


Best regards,

Cassio Bobsin Machado


2005/7/18, Steve <steve at wanalan.com>:
> Hi Guys,
> 
>  From what I understand the openswan only support AES 128 bits in IKE as
> u can see from the "ipsec auto status"
> 
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 
> If my assumption is valid then your Cisco PIX Phase 1 settings of AES256
> will not able to talk to openswan.
> 
> "ike=" do works well in my configuration. I'm using openswan 2.3.1 too.
> Check if the indent is correct?
> 
> Regards,
> Steve
> 
> Cassio Bobsin Machado wrote:
> 
> >Paul,
> >
> >When I insert this line, this connection is not even started, like
> >there was a parsing error. In fact, looking at the "man ipsec.conf"
> >this option "ike=" is not even mentioned. It seems like it was
> >discontinued in this last version of OpenSwan...
> >
> >I have all logs turned on...
> >   klipsdebug=all
> >   plutodebug=all
> >...and in more than 100Mbytes of log (5 days) there is no presence of
> >any "aes" string.
> >
> >I've read a lot of documentation, and as far as I know, IKE should
> >prepare many proposals to send to the server (along with the PSK) so
> >they could choose the that fits both. Problem is that it is not
> >preparing the proposals with AES, and I can't set anything with
> >"ike="... this is a bit frustrating... :-(
> >
> >Do you have version 2.3.1 with this parameter being used?
> >
> >
> >Regards,
> >
> >Cassio Bobsin Machado
> >
> >2005/7/15, Paul Wouters <paul at xelerance.com>:
> >
> >
> >>On Fri, 15 Jul 2005, Cassio Bobsin Machado wrote:
> >>
> >>
> >>
> >>>I'm trying to connect with a CiscoPIX that requires AES-256, SHA1,
> >>>DHG2 for Phase 1 and, after some log analisys, I've reached a problem.
> >>>
> >>>When preparing ISAKMP Proposal, OpenSwan does not try to make any
> >>>combination with AES, only tries with 3DES for encryption.
> >>>
> >>>I couldn't find in any documentation from OpenSwan (they're a bit
> >>>confusing, mixing old FreeSwan info) that covers this issue.
> >>>
> >>>I tried to force with parameters like "ike=aes" or a dozen of other
> >>>variations but, when I try any of these, it simply does not parse
> >>>IPSEC.CONF.
> >>>
> >>>
> >>Can you try using ike=aes256 and tell me if that fixes your problem?
> >>
> >>Paul
> >>
> >>
> >>
> >_______________________________________________
> >Users mailing list
> >Users at openswan.org
> >http://lists.openswan.org/mailman/listinfo/users
> >
> >
> >
> >
> 
>

More information about the Users mailing list