[Openswan Users] Simple question: What are possible values for
esp= in ipsec.conf?
Tibor Incze
tibor.incze at eservglobal.com
Thu Jun 9 08:36:12 CEST 2005
So what are all the possible values for esp=?
Other answers inline:
> On Wed, 8 Jun 2005, Tibor Incze wrote:
>
>> the phase2 proposal side of things. Netscreen supports are sorts of
>> algorithms, but I've chosen to go with 3Des-Sha. I've specified this
>> in openswan client as:esp=3des-sha1
>
> Did you also specify ike= ?
Yes, and this part works. With esp= though, no matter what I've put in so
far, it's the same result as not putting in anything.> And aggrmode=yes?
Yes.
>
>> Also tried:
>> esp=3des-sha1-96. No matter which I put in it's the same as leaving
>> this option out. I get nondescriptive errors:malformed payload in
>> packet 003 "esg_rwvpn" #1: next payload type of ISAKMP Hash Payload
>> has an unknown value:<random number here>
>
> can you try either 2.3.1 or 2.2.0, if this is a 2.3.0?
I'm using the latest 2.3.1 RPMS for FC3.
>
>> BTW, I'm using PFS and DH group2. Does openswan support both of those?
>
> Yes, use pfs=yes and pfsgroup=modp1024
I have "pfs=yes", but it doesn't like the "pfsgroup" statement. This is
also not in the manual...>
> Remember, wit haggressive mode, you have to specify *exactly* what you
> need. It does not allow for various proposals to be decided upon.
Makes sense, it's the same on the Windows clients too. This is why I want
to have all the values of esp= so that I can experiment on which one it
wants. If
> possible, change aggressive mode to main mode on the netscreen to make
> life a lot easier.
Unfortunately not an option :(
>
> Paul
More information about the Users
mailing list