[Openswan Users] Config file Question.

Magnus Holmberg magnus.holmberg at pepto.se
Fri Feb 20 09:37:25 EST 2009 

I get something like this from whack

000 "XXX":   IKE algorithms wanted: BLOWFISH(7)_000-SHA1(2)-2, flags=strict
000 "XXX":   IKE algorithms found:  BLOWFISH(7)_128-SHA1(2)_160-2,
000 "XXX":   ESP algorithms wanted: AES(12)_000-SHA1(2), flags=strict
000 "XXX":   ESP algorithms loaded: AES(12)_000-SHA1(2), flags=strict

What am I doing wrong?



Peter McGill wrote:
> Nothing in the information suggests that 256 bit AES is required.
> Also esp doesn't allow you to enter a DH group, instead it uses the same
> group as phase 1 ike.
> I suggest the following changes accordingly, otherwise your conn looks good.
> 	ike=aes-sha1-modp1024
> 	esp=aes-sha1
>
> Peter McGill
> IT Systems Analyst
> Gra Ham Energy Limited 
>
>   
>> -----Original Message-----
>> From: users-bounces at openswan.org 
>> [mailto:users-bounces at openswan.org] On Behalf Of Magnus Holmberg
>> Sent: February 18, 2009 2:16 PM
>> To: Users at openswan.org
>> Subject: [Openswan Users] Config file Question.
>>
>> I like to setup a vpn connection to another server and recieved the 
>> information that it should be setup like:
>>
>> Encryption method: IKE
>> Transforms: ESP
>>
>> IKE Phase1:
>> Encryption algorithm: AES
>> Hash method: SHA1
>> Diffie-Hellman group: 2 (1024 bits)
>> IKE key lifetime: 28800sec
>>  
>> IKE Phase2:
>> Encryption algorithm: AES
>> Hash method: SHA1
>> Diffie-Hellman group: 2 (1024 bits)
>> IPsec key lifetime: 3600sec
>> Aggressive mode: disabled
>>
>>
>> Can someone help me with the config here.
>> IE i wounder what the esp= and ike should be set to.
>>
>>
>> Is this correct:
>>
>> conn VPN
>>        authby=secret
>>        auto=start
>>        rekey =yes
>>        left=x.x.x.x
>>        leftsubnet=x.x.x.x.192/28
>>        auth = esp
>>        keyexchange=ike
>>        ikelifetime=28800s
>>        keylife=3600s
>>        right=y.y.y.y
>>        rightsubnet=y.y.y/29
>>        ike=aes256-sha1-modp1024
>>        esp=aes256-sha1-modp1024
>>        dpddelay=3
>>        dpdtimeout=120
>>        dpdaction=restart
>>        aggrmode=no
>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan: 
>> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
>> 7?n=283155
>>     
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090220/59efa365/attachment.html

More information about the Users mailing list