[Openswan Users] Config file Question.

Wed Feb 18 14:29:41 EST 2009

Nothing in the information suggests that 256 bit AES is required.
Also esp doesn't allow you to enter a DH group, instead it uses the same
group as phase 1 ike.
I suggest the following changes accordingly, otherwise your conn looks good.
	ike=aes-sha1-modp1024
	esp=aes-sha1

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Magnus Holmberg
> Sent: February 18, 2009 2:16 PM
> To: Users at openswan.org
> Subject: [Openswan Users] Config file Question.
> 
> I like to setup a vpn connection to another server and recieved the 
> information that it should be setup like:
> 
> Encryption method: IKE
> Transforms: ESP
> 
> IKE Phase1:
> Encryption algorithm: AES
> Hash method: SHA1
> Diffie-Hellman group: 2 (1024 bits)
> IKE key lifetime: 28800sec
>  
> IKE Phase2:
> Encryption algorithm: AES
> Hash method: SHA1
> Diffie-Hellman group: 2 (1024 bits)
> IPsec key lifetime: 3600sec
> Aggressive mode: disabled
> 
> 
> Can someone help me with the config here.
> IE i wounder what the esp= and ike should be set to.
> 
> 
> Is this correct:
> 
> conn VPN
>        authby=secret
>        auto=start
>        rekey =yes
>        left=x.x.x.x
>        leftsubnet=x.x.x.x.192/28
>        auth = esp
>        keyexchange=ike
>        ikelifetime=28800s
>        keylife=3600s
>        right=y.y.y.y
>        rightsubnet=y.y.y/29
>        ike=aes256-sha1-modp1024
>        esp=aes256-sha1-modp1024
>        dpddelay=3
>        dpdtimeout=120
>        dpdaction=restart
>        aggrmode=no
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155