[Openswan Users] Simple question: What are possible values for
esp= in ipsec.conf?
paul at xelerance.com
Wed Jun 8 16:50:39 CEST 2005
On Wed, 8 Jun 2005, Tibor Incze wrote:
> the phase2 proposal side of things. Netscreen supports are sorts of
> algorithms, but I've chosen to go with 3Des-Sha. I've specified this in
> openswan client as:esp=3des-sha1
Did you also specify ike= ?
> Also tried:
> esp=3des-sha1-96. No matter which I put in it's the same as leaving this
> option out. I get nondescriptive errors:malformed payload in packet
> 003 "esg_rwvpn" #1: next payload type of ISAKMP Hash Payload has an
> unknown value:<random number here>
can you try either 2.3.1 or 2.2.0, if this is a 2.3.0?
> BTW, I'm using PFS and DH group2. Does openswan support both of those?
Yes, use pfs=yes and pfsgroup=modp1024
Remember, wit haggressive mode, you have to specify *exactly* what you
need. It does not allow for various proposals to be decided upon. If
possible, change aggressive mode to main mode on the netscreen to make
life a lot easier.
More information about the Users