[Openswan Users] config to talk to device with aes, sha, psk

Brendan Simon Brendan at BrendanSimon.com
Sat Jan 7 17:31:28 CET 2006


Fixed it.
Need to drop the "1" from "sha1" in the ike statement.

    ike=aes256-sha
    esp=aes256-sha1

Not sure why.  Also whack still seems to show sha256.  Any ideas why?
Anyhow, it's working :)

Thanks,
Brendan.


Brendan Simon wrote:
> Thanks Peter.  That's exactly what I wanted, but it still didn't 
> work.  I googled for a while and found the "ipseck whack --status" 
> command.  It seems to suggest that aes256 is not supported or can't be 
> loaded.
> 000 "host178":   ESP algorithms wanted: 12_256-2, flags=-strict
> 000 "host178":   ESP algorithms loaded: 12_256-2, flags=-strict
>
> lsmod reveals that the aes module is loaded.
>
> Module                  Size  Used by
> twofish                41600  0
> serpent                21760  0
> aes                    31016  0
> blowfish               12096  0
> des                    13632  0
> sha256                 10880  0
> sha1                    8704  0
> crypto_null             3616  0
> xfrm_user              19684  0
> ipcomp                  9216  0
> esp4                   11744  0
> ah4                     9664  0
> md                     56756  0
>
> Any idea how to get openswan to use/recognize aes256 ??
>
> Thanks,
> Brendan.
>
>
> Peter McGill wrote:
>> Try adding the following three lines to your conn as follows:
>> Otherwise your setup looks good from what I can tell.
>> the pfs line obviously turns off pfs.
>> the ike line is for phase 1
>> the esp line is for phase 2
>>
>> conn host178
>>   pfs=no
>>   ike=aes256-sha1
>>   esp=aes256-sha1
>
>



More information about the Users mailing list