[Openswan Users] Problem with ike

Peter McGill petermcgill at goco.net
Mon Jun 25 10:00:08 EDT 2007 

> -----Original Message-----
> Date: Mon, 25 Jun 2007 06:16:54 -0700 (PDT)
> From: "D h @ v @ l" <dhaval4linux at yahoo.com>
> Subject: [Openswan Users] Problem with ike
> To: users at openswan.org
> 
> Hi all
> 
>     I am making a vpn tunnel Net to Roadworrier. I have 
> problem when I enable ike=des-md5-modp3072 in both ipsec.conf. 
> 
> Here is my ipsec.conf file
> conn netone
>   left=10.10.136.190
>   leftsubnet=192.0.0.0/8
>   leftrsasigkey=%cert
>   leftcert=host.example.com.pem
>   right=10.10.136.191
>   rightsubnet=11.0.0.0/8
>   rightrsasigkey=%cert
>   rightcert=clienthost.example.com.pem
>   authby=rsasig
>   also=policy3
>   auto=start
> 
> conn policy3
>   keyexchange=ike
>   aggrmode=no
>   ike=des-md5-modp3072
>   ikelifetime=1h
>   esp=aes128-md5
>   pfs=no
>   compress=no
>   keylife=1h
>   failureshunt=passthrough
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> This is my output of command: ipsec auto --status
> interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 10.10.136.191
> 000 interface eth0/eth0 10.10.136.191
> 000 interface eth1/eth1 11.11.11.11
> 000 interface eth1/eth1 11.11.11.11
> 000 %myid = (none)
> 000 debug none
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, 
> keysizemin=64, keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, 
> keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, 
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, 
> keysizemin=0, keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, 
> name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, 
> name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, 
> name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=251, name=(null), 
> keysizemin=0, keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, 
> blocksize=8, keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, 
> blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, 
> bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, 
> bits=1536
> 000 algorithm IKE dh group: id=14, 
> name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, 
> name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, 
> name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, 
> name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, 
> name=OAKLEY_GROUP_MODP8192, bits=8192
> 000

First off DES is NOT SECURE! Can't say that strongly enouph, do not use
It, it is obsolete, broken, cracked, etc... Use one of the newer stronger
ciphers instead. 3DES, Blowfish should be fine, AES, Serpent and Twofish
Are best.

Secondly, only 3DES and AES are available in your ike status here, the others
Are only in esp. IPSec is a two phase process, authentication and encryption.
Ike is phase 1 authentication and esp is phase 2 encryption.

3DES and AES are defaults in openswan, so:
	ike=3des-md5-modp3072
	esp=aes128-md5
Should work just fine.
Or if you want blowfish for phase 2, this should work.
	ike=3des-md5-modp3072
	esp=blowfish-md5

> Here is my log from /var/log/auth.log
> 
> Jun 23 03:48:57 localhost pluto[26197]: | ike_alg_db_new() 
> ike enc ealg=1 not present

I'm not sure how to enable the other ciphers for phase 1, but probably a
Recompile with special options is needed, and/or kernel module loading/recompile.

> Jun 23 03:48:57 localhost pluto[26197]: packet from 
> 10.10.136.190:500: ignoring informational payload, type 
> NO_PROPOSAL_CHOSEN

This means the two sides cannot aggree on ciphers to use.

Peter

> If I disable ike=des-md5-modp3072 in both ipsec.conf file 
> then it establish the tunnel. So can any one help me to solve 
> this problem. This problem is same when I establish tunnel 
> with psk and rsa keys. 
> 
> If I use other algorithm blowfish in place of des in ike then 
> it also gives the same error.
> 
> Any one help out.

More information about the Users mailing list