[Openswan Users] "ike" parameter in ipsec.conf file

Jennifer Agarwal jsagarwal at exqss.com
Thu Dec 11 13:14:51 EST 2008 

To all,

I am having trouble understanding the "ike" parameter in the ipsec.conf file.  According to the man page 

ike=cipher-hash-modgroup  but what are all the possible choices.  

The man page for ipsec.conf shows some examples which I am trying between two machines I am using.  The conn definition I am using is below.  On the otherside of the "ike" parameter is not set therefore defaulting to allowing all possible combinations.

conn ipsec0
        authby=secret
        type=tunnel
        ike=3des-md5-modp1024
        left=172.16.163.128
        right=172.16.163.130
        auto=ignore

However when I "ipsec auto --replace ipsec0" followed by "ipsec auto --status  on 172.16.163.128 I get the following:

000 interface ipsec0/eth2 172.16.163.128
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "ipsec0": 172.16.163.128...172.16.163.130; unrouted; eroute owner: #0
000 "ipsec0":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "ipsec0":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "ipsec0":   policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 32,32; interface: eth2; encap: esp;
000 "ipsec0":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "ipsec0":   IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
000 "ipsec0":   IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)

Then after about 2 minutes I did the "ipsec auto --status" again and got the following:

000 interface ipsec0/eth2 172.16.163.128
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "ipsec0": 172.16.163.128...172.16.163.130; erouted; eroute owner: #46
000 "ipsec0":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "ipsec0":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "ipsec0":   policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 32,32; interface: eth2; encap: esp;
000 "ipsec0":   newest ISAKMP SA: #45; newest IPsec SA: #46;
000 "ipsec0":   IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
000 "ipsec0":   IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "ipsec0":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024


So it looks like the tunnel has been negotiated with SA#45.  Should I be concerned with the "wanted" "found" and newest not all matching?

If anyone could provide me with further examples of what is allowed for the parameter "ike" I would appreciate it.  

Thank you,
Jennifer
*********************************
Jennifer Agarwal
President / Principal Engineer

Exquisite Software Solutions, LLC
(240) 483-8619
jsagarwal at exqss.com
 
*********************************


_________________________________________________________________
Search from any Web page with powerful protection. Get the FREE Windows Live Toolbar Today!
http://get.live.com/toolbar/overview
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20081211/860a3a7d/attachment.html

More information about the Users mailing list