[Openswan Users] config to talk to device with aes, sha, psk

Norman Rasmussen norman at rasmussen.co.za
Sat Jan 7 12:08:00 CET 2006 

sha1 and sha256 are slightly different.  I expect that by dropping the
'1', you've allowed any sha to be used - you should probably drop the
esp '1' too, and see if that swaps to the more secure sha256 too.  (or
alternativaly make both sha256, and see if that works)

On 1/7/06, Brendan Simon <Brendan at brendansimon.com> wrote:
> Fixed it.
> Need to drop the "1" from "sha1" in the ike statement.
>
>     ike=aes256-sha
>     esp=aes256-sha1
>
> Not sure why.  Also whack still seems to show sha256.  Any ideas why?
> Anyhow, it's working :)
>
> Thanks,
> Brendan.
>
>
> Brendan Simon wrote:
> > Thanks Peter.  That's exactly what I wanted, but it still didn't
> > work.  I googled for a while and found the "ipseck whack --status"
> > command.  It seems to suggest that aes256 is not supported or can't be
> > loaded.
> > 000 "host178":   ESP algorithms wanted: 12_256-2, flags=-strict
> > 000 "host178":   ESP algorithms loaded: 12_256-2, flags=-strict
> >
> > lsmod reveals that the aes module is loaded.
> >
> > Module                  Size  Used by
> > twofish                41600  0
> > serpent                21760  0
> > aes                    31016  0
> > blowfish               12096  0
> > des                    13632  0
> > sha256                 10880  0
> > sha1                    8704  0
> > crypto_null             3616  0
> > xfrm_user              19684  0
> > ipcomp                  9216  0
> > esp4                   11744  0
> > ah4                     9664  0
> > md                     56756  0
> >
> > Any idea how to get openswan to use/recognize aes256 ??
> >
> > Thanks,
> > Brendan.
> >
> >
> > Peter McGill wrote:
> >> Try adding the following three lines to your conn as follows:
> >> Otherwise your setup looks good from what I can tell.
> >> the pfs line obviously turns off pfs.
> >> the ike line is for phase 1
> >> the esp line is for phase 2
> >>
> >> conn host178
> >>   pfs=no
> >>   ike=aes256-sha1
> >>   esp=aes256-sha1
> >
> >
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>


--
- Norman Rasmussen
 - Email: norman at rasmussen.co.za
 - Home page: http://norman.rasmussen.co.za/

More information about the Users mailing list