[Openswan Users] Just two questions
Scott Mcdermott
smcdermott at questra.com
Wed Mar 23 13:09:10 CET 2005
Paul Wouters on Wed 23/03 21:30 +0100:
> >I've seen in some appliance products (like astaro) that
> >the user can select: encryption algorithm,
> >authentication algorithm, IKE DH Group (for ISAKMP
> >phase). How can I set these algorithms with Openswan? I
> >cant see that parameters on ipsec.conf documentation...
> >I would like to use automatic keying.
>
> see the options for:
>
> esp=
> ike=
> pfsgroup=
>
> eg: ike=3des-sha1-modp1524
in my experience with recent Openswan:
1. pfsgroup= was not a recognized option.
2. The parsing of options using ike= and esp= parameters was
not consistent, correct syntax was sometimes not
recognized.
3. Using esp= and ike= parameters with AES caused there to
be bogus proposals sent out with 65535 in all the fields,
as the first offered transform set. This caused
negotiation with the remote end to always fail.
Switching to Strongswan solved these problems for me right
away using exactly the same ipsec.conf as I tried with
Openswan. You can read a post I sent earlier when I
encountered this problem, before I switched to Strongswan
(which has a much more current version of X.509 patch as
well btw)
More information about the Users
mailing list