[Openswan Users] Simple question: What are possible values for esp= in ipsec.conf?

Paul Wouters paul at xelerance.com
Wed Jun 8 16:50:39 CEST 2005


On Wed, 8 Jun 2005, Tibor Incze wrote:

> the phase2 proposal side of things. Netscreen supports are sorts of
> algorithms, but I've chosen to go with 3Des-Sha. I've specified this in
> openswan client as:esp=3des-sha1

Did you also specify ike= ?
And aggrmode=yes?

> Also tried:
> esp=3des-sha1-96. No matter which I put in it's the same as leaving this
> option out. I get nondescriptive errors:malformed payload in packet
> 003 "esg_rwvpn" #1: next payload type of ISAKMP Hash Payload has an
> unknown value:<random number here>

can you try either 2.3.1 or 2.2.0, if this is a 2.3.0?

> BTW, I'm using PFS and DH group2. Does openswan support both of those?

Yes, use pfs=yes and pfsgroup=modp1024

Remember, wit haggressive mode, you have to specify *exactly* what you
need. It does not allow for various proposals to be decided upon. If
possible, change aggressive mode to main mode on the netscreen to make
life a lot easier.

Paul


More information about the Users mailing list