[Openswan Users] "ike" parameter in ipsec.conf file
Peter McGill
petermcgill at goco.net
Thu Dec 11 14:21:44 EST 2008
Jennifer,
Possible combinations depend on how you built openswan and your kernel.
But ipsec auto status will output the acceptable options.
I'll explain from your output below:
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
ike=3des
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
ike=aes,aes128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
ike=cipher-md5
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
ike=cipher-sha,cipher-sha1
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
ike=cipher-hash-modp1024 # Diffie-Hellman Group 2
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
ike=cipher-hash-modp1536 # Diffie-Hellman Group 5
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
ike=cipher-hash-modp2048 # Diffie-Hellman Group 14
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
ike=cipher-hash-modp3072 # Diffie-Hellman Group 15
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
ike=cipher-hash-modp4096 # Diffie-Hellman Group 16
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
ike=cipher-hash-modp6144 # Diffie-Hellman Group 17
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
ike=cipher-hash-modp8192 # Diffie-Hellman Group 18
Although 1024 and 1536 bit dh groups are considered sufficient for 128 bit encryption.
You can find acceptable esp options the same way:
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192
esp=3des
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
esp=aes,aes128,aes192,aes256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
esp=cipher-md5
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
esp=cipher-sha,cipher-sha1 # Note sha2 is recommended for aes256
You have the normal options available with your openswan installation.
Some people customize kernel and openswan to allow more options, but it's not really necessary.
Peter McGill
IT Systems Analyst
Gra Ham Energy Limited
> -----Original Message-----
> From: users-bounces at openswan.org
> [mailto:users-bounces at openswan.org] On Behalf Of Jennifer Agarwal
> Sent: December 11, 2008 1:15 PM
> To: users at openswan.org
> Subject: [Openswan Users] "ike" parameter in ipsec.conf file
>
> To all,
>
> I am having trouble understanding the "ike" parameter in the
> ipsec.conf file. According to the man page
>
> ike=cipher-hash-modgroup but what are all the possible choices.
>
> The man page for ipsec.conf shows some examples which I am
> trying between two machines I am using. The conn definition
> I am using is below. On the otherside of the "ike" parameter
> is not set therefore defaulting to allowing all possible combinations.
>
> conn ipsec0
> authby=secret
> type=tunnel
> ike=3des-md5-modp1024
> left=172.16.163.128
> right=172.16.163.130
> auto=ignore
>
> However when I "ipsec auto --replace ipsec0" followed by
> "ipsec auto --status on 172.16.163.128 I get the following:
>
> 000 interface ipsec0/eth2 172.16.163.128
> 000 %myid = (none)
> 000 debug
> raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+co
> ntrolmore+pfkey+nattraversal+x509
> 000
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
> keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1,
> name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2,
> name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
> blocksize=8, keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
> blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024,
> bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536,
> bits=1536
> 000 algorithm IKE dh group: id=14,
> name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15,
> name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16,
> name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17,
> name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18,
> name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz}
> :context={0,0,0} trans={0,0,0} attrs={0,0,0}
> 000
> 000 "ipsec0": 172.16.163.128...172.16.163.130; unrouted;
> eroute owner: #0
> 000 "ipsec0": srcip=unset; dstip=unset; srcup=ipsec
> _updown; dstup=ipsec _updown;
> 000 "ipsec0": ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "ipsec0": policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 32,32;
> interface: eth2; encap: esp;
> 000 "ipsec0": newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "ipsec0": IKE algorithms wanted:
> 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
> 000 "ipsec0": IKE algorithms found:
> 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
>
> Then after about 2 minutes I did the "ipsec auto --status"
> again and got the following:
>
> 000 interface ipsec0/eth2 172.16.163.128
> 000 %myid = (none)
> 000 debug
> raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+co
> ntrolmore+pfkey+nattraversal+x509
> 000
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
> keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1,
> name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2,
> name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
> blocksize=8, keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
> blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024,
> bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536,
> bits=1536
> 000 algorithm IKE dh group: id=14,
> name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15,
> name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16,
> name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17,
> name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18,
> name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz}
> :context={0,0,0} trans={0,0,0} attrs={0,0,0}
> 000
> 000 "ipsec0": 172.16.163.128...172.16.163.130; erouted;
> eroute owner: #46
> 000 "ipsec0": srcip=unset; dstip=unset; srcup=ipsec
> _updown; dstup=ipsec _updown;
> 000 "ipsec0": ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "ipsec0": policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 32,32;
> interface: eth2; encap: esp;
> 000 "ipsec0": newest ISAKMP SA: #45; newest IPsec SA: #46;
> 000 "ipsec0": IKE algorithms wanted:
> 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
> 000 "ipsec0": IKE algorithms found:
> 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
> 000 "ipsec0": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
>
>
> So it looks like the tunnel has been negotiated with SA#45.
> Should I be concerned with the "wanted" "found" and newest
> not all matching?
>
> If anyone could provide me with further examples of what is
> allowed for the parameter "ike" I would appreciate it.
>
> Thank you,
> Jennifer
>
>
> *********************************
>
> Jennifer Agarwal
>
> President / Principal Engineer
>
>
> Exquisite Software Solutions, LLC
>
> (240) 483-8619
>
> jsagarwal at exqss.com
>
>
>
> *********************************
>
>
>
>
> ________________________________
>
> Search from any Web page with powerful protection. Get the
> FREE Windows Live Toolbar Today! Try it now!
> <http://get.live.com/toolbar/overview>
>
More information about the Users
mailing list