[Openswan Users] Fwd: RE: Problem with ike

D h @ v @ l dhaval4linux at yahoo.com
Wed Jun 27 11:49:33 EDT 2007 

 Hi All

    I have solved that problem of ciphers. To enable others ciphers, Before installing openswan from source you should open file Makefile.inc and 

Change USE_EXTRACRYPTO=false TO USE_EXTRACRYPTO=true 

Then install openswan by giving command make programs && make install

After that you have to apply patch to your kernel for KLIPS and you have to recompile that kernel. Now you have all others ciphers in your openswan.

To check that you can start your connection then check last part of file log file /var/log/auth.log  (In debian). In that it will show that which ciphers are loaded.

Thanks for help....

Dhaval


"D h @ v @ l" <dhaval4linux at yahoo.com> wrote: Date: Tue, 26 Jun 2007 00:23:30 -0700 (PDT)
From: "D h @ v @ l" <dhaval4linux at yahoo.com>
Subject: RE: [Openswan Users] Problem with ike
To: petermcgill at goco.net
CC: users at openswan.org

 

Peter McGill <petermcgill at goco.net> wrote: > -----Original Message-----
> Date: Mon, 25 Jun 2007 06:16:54 -0700 (PDT)
> From: "D h @ v @ l" 
> Subject: [Openswan Users] Problem with ike
> To: users at openswan.org
> 
> Hi all
> 
>     I am making a vpn tunnel Net to Roadworrier. I have 
> problem when I enable ike=des-md5-modp3072 in both ipsec.conf. 
> 
> Here is my ipsec.conf file
> conn netone
>   left=10.10.136.190
>   leftsubnet=192.0.0.0/8
>   leftrsasigkey=%cert
>    leftcert=host.example.com.pem
>   right=10.10.136.191
>   rightsubnet=11.0.0.0/8
>   rightrsasigkey=%cert
>   rightcert=clienthost.example.com.pem
>   authby=rsasig
>   also=policy3
>   auto=start
>  
> conn policy3
>   keyexchange=ike
>   aggrmode=no
>   ike=des-md5-modp3072
>   ikelifetime=1h
>   esp=aes128-md5
>   pfs=no
>   compress=no
>   keylife=1h
>   failureshunt=passthrough
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> This is my output of command: ipsec auto --status
> interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 10.10.136.191
> 000 interface eth0/eth0 10.10.136.191
> 000 interface eth1/eth1 11.11.11.11
> 000 interface eth1/eth1 11.11.11.11
> 000 %myid = (none)
> 000  debug none
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, 
> keysizemin=64, keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, 
> keysizemin=192, keysizemax=192
> 000 algorithm  ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, 
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, 
> keysizemin=0, keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, 
> name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, 
> name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160,  keysizemax=160
> 000 algorithm ESP auth attr: id=5, 
> name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=251, name=(null), 
> keysizemin=0, keysizemax=0
> 000
> 000 algorithm  IKE encrypt: id=5, name=OAKLEY_3DES_CBC, 
> blocksize=8, keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, 
> blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, 
> bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, 
> bits=1536
> 000 algorithm IKE dh group: id=14, 
> name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, 
> name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, 
>  name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, 
> name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, 
> name=OAKLEY_GROUP_MODP8192, bits=8192
> 000

First off DES is NOT SECURE!  Can't say that strongly enouph, do not use
It, it is obsolete, broken, cracked, etc... Use one of the newer stronger
ciphers instead. 3DES, Blowfish should be fine, AES, Serpent and Twofish
Are best.

Secondly, only 3DES and AES are available in your ike status here, the others
Are only in esp. IPSec is a two phase process, authentication and encryption.
Ike is phase 1 authentication and esp is phase 2 encryption.

3DES and AES are defaults in openswan, so:
 ike=3des-md5-modp3072
 esp=aes128-md5
Should work just fine.
Or if you want blowfish for phase 2, this should work.
 ike=3des-md5-modp3072
 esp=blowfish-md5

> Here is my log from  /var/log/auth.log
> 
> Jun 23 03:48:57 localhost pluto[26197]: | ike_alg_db_new() 
> ike enc ealg=1 not present

I'm not sure how to enable the other ciphers for phase 1, but probably a
Recompile with special options is needed, and/or kernel module  loading/recompile.

Peter
How to enable other ciphers in phase1. if Recompile openswan then what are the options. If kernel recompile is needed then which modules I have to select before recompiling. 

Any one know that.


thanks in advanced,

Dhaval

     

---------------------------------
Looking for earth-friendly autos? 
 Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.  
        

---------------------------------
Sick sense of humor? Visit Yahoo! TV's  Comedy with an Edge to see what's on, when.    

 
---------------------------------
Need Mail bonding?
Go to the Yahoo! Mail Q&A for great tips from Yahoo! Answers users.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070627/e6303423/attachment-0001.html

More information about the Users mailing list