[Openswan Users] Problem with ike

D h @ v @ l dhaval4linux at yahoo.com
Tue Jun 26 03:23:30 EDT 2007 


Peter McGill <petermcgill at goco.net> wrote: > -----Original Message-----
> Date: Mon, 25 Jun 2007 06:16:54 -0700 (PDT)
> From: "D h @ v @ l" 
> Subject: [Openswan Users] Problem with ike
> To: users at openswan.org
> 
> Hi all
> 
>     I am making a vpn tunnel Net to Roadworrier. I have 
> problem when I enable ike=des-md5-modp3072 in both ipsec.conf. 
> 
> Here is my ipsec.conf file
> conn netone
>   left=10.10.136.190
>   leftsubnet=192.0.0.0/8
>   leftrsasigkey=%cert
>   leftcert=host.example.com.pem
>   right=10.10.136.191
>   rightsubnet=11.0.0.0/8
>   rightrsasigkey=%cert
>   rightcert=clienthost.example.com.pem
>   authby=rsasig
>   also=policy3
>   auto=start
> 
> conn policy3
>   keyexchange=ike
>   aggrmode=no
>   ike=des-md5-modp3072
>   ikelifetime=1h
>   esp=aes128-md5
>   pfs=no
>   compress=no
>   keylife=1h
>   failureshunt=passthrough
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> This is my output of command: ipsec auto --status
> interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 10.10.136.191
> 000 interface eth0/eth0 10.10.136.191
> 000 interface eth1/eth1 11.11.11.11
> 000 interface eth1/eth1 11.11.11.11
> 000 %myid = (none)
> 000 debug none
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, 
> keysizemin=64, keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, 
> keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, 
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, 
> keysizemin=0, keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, 
> name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, 
> name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, 
> name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=251, name=(null), 
> keysizemin=0, keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, 
> blocksize=8, keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, 
> blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, 
> bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, 
> bits=1536
> 000 algorithm IKE dh group: id=14, 
> name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, 
> name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, 
> name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, 
> name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, 
> name=OAKLEY_GROUP_MODP8192, bits=8192
> 000

First off DES is NOT SECURE! Can't say that strongly enouph, do not use
It, it is obsolete, broken, cracked, etc... Use one of the newer stronger
ciphers instead. 3DES, Blowfish should be fine, AES, Serpent and Twofish
Are best.

Secondly, only 3DES and AES are available in your ike status here, the others
Are only in esp. IPSec is a two phase process, authentication and encryption.
Ike is phase 1 authentication and esp is phase 2 encryption.

3DES and AES are defaults in openswan, so:
 ike=3des-md5-modp3072
 esp=aes128-md5
Should work just fine.
Or if you want blowfish for phase 2, this should work.
 ike=3des-md5-modp3072
 esp=blowfish-md5

> Here is my log from /var/log/auth.log
> 
> Jun 23 03:48:57 localhost pluto[26197]: | ike_alg_db_new() 
> ike enc ealg=1 not present

I'm not sure how to enable the other ciphers for phase 1, but probably a
Recompile with special options is needed, and/or kernel module loading/recompile.

Peter
How to enable other ciphers in phase1. if Recompile openswan then what are the options. If kernel recompile is needed then which modules I have to select before recompiling. 

Any one know that.


thanks in advanced,

Dhaval


  
---------------------------------
Looking for earth-friendly autos? 
 Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070626/f3425b2a/attachment-0001.html

More information about the Users mailing list