[Openswan Users] Just two questions

Scott Mcdermott smcdermott at questra.com
Wed Mar 23 13:09:10 CET 2005


Paul Wouters on Wed 23/03 21:30 +0100:
> >I've seen in some appliance products (like astaro) that
> >the user can select: encryption algorithm,
> >authentication algorithm,  IKE DH Group (for ISAKMP
> >phase). How can I set these algorithms with Openswan? I
> >cant see that parameters on ipsec.conf documentation...
> >I would like to use automatic keying.
> 
> see the options for:
> 
> esp=
> ike=
> pfsgroup=
> 
> eg: ike=3des-sha1-modp1524

in my experience with recent Openswan:

1. pfsgroup= was not a recognized option.

2. The parsing of options using ike= and esp= parameters was
   not consistent, correct syntax was sometimes not
   recognized.

3. Using esp= and ike= parameters with AES caused there to
   be bogus proposals sent out with 65535 in all the fields,
   as the first offered transform set.  This caused
   negotiation with the remote end to always fail.

Switching to Strongswan solved these problems for me right
away using exactly the same ipsec.conf as I tried with
Openswan.  You can read a post I sent earlier when I
encountered this problem, before I switched to Strongswan
(which has a much more current version of X.509 patch as
well btw)


More information about the Users mailing list