[Openswan Users] AES-256 SHA1 Group2

Xian Zhang xianzhangmcse at optusnet.com.au
Sun Mar 13 11:52:43 CET 2005 

Thanks for your help, Paul.
I have changed /etc/ipsec.conf

That's two lines in /etc/ipsec.conf

        ike=aes256-sha1-modp1024
        esp=aes256-sha1

below is the output of "ipsec whack --status"

I had a closer look at the output of command "ipsec whack --status"

000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=168, 
keysizemax=168
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, 
keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} 
trans={0,0,0}
attrs={0,0,0}
000
000 "TestConnection": 
10.xxx.xxx.0/24===203.xxx.xxx.205---203.xxx.xxx.204...149.xxx.xxx.205---149.xxx.xxx.204===172.xxx.xxx.0/24; 
prospective erouted; eroute owner: #0
000 "TestConnection":     srcip=unset; dstip=unset
000 "TestConnection":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 0
000 "TestConnection":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 22,24; 
interface: eth1;
000 "TestConnection":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "TestConnection":   IKE algorithms wanted: 7_256-2-5, 7_256-2-2, 
flags=strict
000 "TestConnection":   IKE algorithms found:  7_256-2_160-5, 7_256-2_160-2,
000 "TestConnection":   ESP algorithms wanted: 12_256-2, flags=strict
000 "TestConnection":   ESP algorithms loaded: 12_256-2, flags=strict

Looks like following two lines are the problem,

000 "TestConnection":   IKE algorithms wanted: 7_256-2-5, 7_256-2-2, 
flags=strict
000 "TestConnection":   IKE algorithms found:  7_256-2_160-5, 7_256-2_160-2,

7_256-2-5 and 7_256-2_160-5 don't match
7_256-2-2 and 7_256-2_160-2 don't match

7_256 means aes256, 2_160 -- means SHA1, but I don't what 160 is

5 means group 5, I think.

Now, how do I change 7_256-2_160-5 to 7_256-2-5 ?

I guess that is where the problem is, what do you think, Paul?


----- Original Message ----- 
From: "Paul Wouters" <paul at xelerance.com>
To: "Xian Zhang" <xianzhangmcse at optusnet.com.au>
Cc: <users at openswan.org>
Sent: Sunday, March 13, 2005 1:35 AM
Subject: Re: [Openswan Users] AES-256 SHA1 Group2


> On Sat, 12 Mar 2005, Xian Zhang wrote:
>
>> I am trying to set up a VPN connection between openswan and checkpoint. I 
>> use AES-256, SHA-1, and Diffie-Hellman Group2
>>
>> I couldn't get phase 1 come up, any help would be greatly appreciated.
>
>> conn TestConnection
>>        left=149.xxx.xxx.204
>>        leftsubnet=172.xxx.xxx.0/24
>>        leftnexthop=149.xxx.xxx.205
>>        right=203.xxx.xxx.205
>>        rightsubnet=10.xxx.xxx.0/24
>>        rightnexthop=%defaultroute
>>        ike=aes256-sha!
>>        esp=aes256-sha1!
>
> Don't use the old exclamation mark notation. Specifying anything on the
> esp= or ike= line is always "restrictive". That is, no other proposals
> will be allowed.
> Also, do not use 'sha' for 'sha1'. Sha is currently an alias for sha1, but
> should not be used with the impeding newer versions of sha (eg sha256).
>
> Also try adding the DH/modp group to your ike/esp line, eg 
> ike=aes256-sha1=modp1024
> You can also specifify 'pfsgroup=modp1024' to set the DH group for phase 1 
> and 2.
>
>> Mar 12 10:17:32 vpngateway ipsec__plutorun: 104 "TestConnection" #1: 
>> STATE_MAIN_I1: initiate
>> Mar 12 10:17:32 vpngateway ipsec__plutorun: ...could not start conn 
>> "TestConnection"
>
>> Mar 12 10:17:32 vpngateway pluto[17701]: "TestConnection" #1: initiating 
>> Main Mode
>> Mar 12 10:17:32 vpngateway pluto[17701]: "TestConnection" #1: ignoring 
>> informational payload, type NO_PROPOSAL_CHOSEN
>> Mar 12 10:17:32 vpngateway pluto[17701]: "TestConnection" #1: received 
>> and ignored informational message
>> Mar 12 10:30:42 vpngateway pluto[17701]: "TestConnection" #1: max number 
>> of retransmissions (20) reached STATE_MAIN_I1.  No response (
>> or no acceptable response) to our first IKE message
>
> the other end is rejecting your first proposal, probably because you did 
> not specify
> the exact DH group it wanted.
> One way of debugging this is to have the other end initiate to you, and 
> see what it
> requests to Openswan to use as parameters.
>
> Paul
> -- 
>
> "At best it is a theory, at worst a fantasy" -- Michael Crichton
>

More information about the Users mailing list