[Openswan Users] use of multiple ike and esp algorithms

Joachim Schwender jschwender at de.ferrotec.com
Wed Sep 6 04:09:10 EDT 2006

When you use openswan to connect to different peers with different alg 
capabilities, the configuration of ike and esp in connection section 
causes problems.

If peer1 uses aes, and peer2 uses 3des, the configuration on the central 
peer must allow minimum both algorithms for both connections. If you 
specify strictly ike=aes for peer1 and ike=3des for peer2, you will see 
connection drops. The reason is that when the second connection is 
initiated, openswan uses the peer1 connection in phase 1 and refuses 
3des, because peer1 must use aes. If you don't specify any ike= and esp= 
openswan uses defaults only, and it may not work. Therefore 
documentation should clearly state that parameters ike= and esp= should 
only be used in conn %default section. Does anybody know a possibility 
to restrict algorithms to connections?

More information about the Users mailing list