[Openswan Users] "ike" parameter in ipsec.conf file

Peter McGill petermcgill at goco.net
Thu Dec 11 14:21:44 EST 2008 

Jennifer,

Possible combinations depend on how you built openswan and your kernel.
But ipsec auto status will output the acceptable options.
I'll explain from your output below:
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
	ike=3des
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
	ike=aes,aes128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
	ike=cipher-md5
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
	ike=cipher-sha,cipher-sha1
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
	ike=cipher-hash-modp1024 # Diffie-Hellman Group 2
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
	ike=cipher-hash-modp1536 # Diffie-Hellman Group 5
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
	ike=cipher-hash-modp2048 # Diffie-Hellman Group 14
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
	ike=cipher-hash-modp3072 # Diffie-Hellman Group 15
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
	ike=cipher-hash-modp4096 # Diffie-Hellman Group 16
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
	ike=cipher-hash-modp6144 # Diffie-Hellman Group 17
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
	ike=cipher-hash-modp8192 # Diffie-Hellman Group 18
Although 1024 and 1536 bit dh groups are considered sufficient for 128 bit encryption.
You can find acceptable esp options the same way:
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192
	esp=3des
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
	esp=aes,aes128,aes192,aes256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
	esp=cipher-md5
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
	esp=cipher-sha,cipher-sha1 # Note sha2 is recommended for aes256
You have the normal options available with your openswan installation.
Some people customize kernel and openswan to allow more options, but it's not really necessary.

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Jennifer Agarwal
> Sent: December 11, 2008 1:15 PM
> To: users at openswan.org
> Subject: [Openswan Users] "ike" parameter in ipsec.conf file
> 
> To all,
> 
> I am having trouble understanding the "ike" parameter in the 
> ipsec.conf file.  According to the man page 
> 
> ike=cipher-hash-modgroup  but what are all the possible choices.  
> 
> The man page for ipsec.conf shows some examples which I am 
> trying between two machines I am using.  The conn definition 
> I am using is below.  On the otherside of the "ike" parameter 
> is not set therefore defaulting to allowing all possible combinations.
> 
> conn ipsec0
>         authby=secret
>         type=tunnel
>         ike=3des-md5-modp1024
>         left=172.16.163.128
>         right=172.16.163.130
>         auto=ignore
> 
> However when I "ipsec auto --replace ipsec0" followed by 
> "ipsec auto --status  on 172.16.163.128 I get the following:
> 
> 000 interface ipsec0/eth2 172.16.163.128
> 000 %myid = (none)
> 000 debug 
> raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+co
> ntrolmore+pfkey+nattraversal+x509
> 000
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, 
> keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, 
> name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, 
> name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, 
> blocksize=8, keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, 
> blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, 
> bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, 
> bits=1536
> 000 algorithm IKE dh group: id=14, 
> name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, 
> name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, 
> name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, 
> name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, 
> name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} 
> :context={0,0,0} trans={0,0,0} attrs={0,0,0}
> 000
> 000 "ipsec0": 172.16.163.128...172.16.163.130; unrouted; 
> eroute owner: #0
> 000 "ipsec0":     srcip=unset; dstip=unset; srcup=ipsec 
> _updown; dstup=ipsec _updown;
> 000 "ipsec0":   ike_life: 3600s; ipsec_life: 28800s; 
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "ipsec0":   policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 32,32; 
> interface: eth2; encap: esp;
> 000 "ipsec0":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "ipsec0":   IKE algorithms wanted: 
> 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
> 000 "ipsec0":   IKE algorithms found: 
> 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
> 
> Then after about 2 minutes I did the "ipsec auto --status" 
> again and got the following:
> 
> 000 interface ipsec0/eth2 172.16.163.128
> 000 %myid = (none)
> 000 debug 
> raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+co
> ntrolmore+pfkey+nattraversal+x509
> 000
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, 
> keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, 
> name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, 
> name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, 
> blocksize=8, keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, 
> blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, 
> bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, 
> bits=1536
> 000 algorithm IKE dh group: id=14, 
> name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, 
> name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, 
> name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, 
> name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, 
> name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} 
> :context={0,0,0} trans={0,0,0} attrs={0,0,0}
> 000
> 000 "ipsec0": 172.16.163.128...172.16.163.130; erouted; 
> eroute owner: #46
> 000 "ipsec0":     srcip=unset; dstip=unset; srcup=ipsec 
> _updown; dstup=ipsec _updown;
> 000 "ipsec0":   ike_life: 3600s; ipsec_life: 28800s; 
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "ipsec0":   policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 32,32; 
> interface: eth2; encap: esp;
> 000 "ipsec0":   newest ISAKMP SA: #45; newest IPsec SA: #46;
> 000 "ipsec0":   IKE algorithms wanted: 
> 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
> 000 "ipsec0":   IKE algorithms found: 
> 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
> 000 "ipsec0":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
> 
> 
> So it looks like the tunnel has been negotiated with SA#45.  
> Should I be concerned with the "wanted" "found" and newest 
> not all matching?
> 
> If anyone could provide me with further examples of what is 
> allowed for the parameter "ike" I would appreciate it.  
> 
> Thank you,
> Jennifer
> 
> 
> *********************************
> 
> Jennifer Agarwal
> 
> President / Principal Engineer
> 
> 
> Exquisite Software Solutions, LLC
> 
> (240) 483-8619
> 
> jsagarwal at exqss.com
> 
>  
> 
> *********************************
> 
> 
> 
> 
> ________________________________
> 
> Search from any Web page with powerful protection. Get the 
> FREE Windows Live Toolbar Today! Try it now! 
> <http://get.live.com/toolbar/overview> 
>

More information about the Users mailing list