[Openswan Users] How to configure esp string for ikev2 in ipsec.conf file?
Jun Yin
hansyin at gmail.com
Thu Jul 16 17:32:11 EDT 2009
Hi,
My configure file:
conn to_dut1
type=tunnel
authby=secret
left=192.168.5.221
leftnexthop=192.168.5.112
right=192.168.2.100
rightsubnet=192.168.6.0/24
rightnexthop=192.168.6.100
ike=3des-sha1-modp1536!
#here I don't know how to specify dhgrp properly
esp=3des-md5;modp1024!
ikev2=insist
keyexchange=ike
auto=add
For the esp string, it only works when using "ike=3des-sha1", but I
hope I can specify pfsgroup. I tried below string:
esp=3des-sha1,modp1536
esp=3des-sha1;modp1536
phase2alg=3des-md5-modp1536
phase2alg=3des-md5,modp1536
phase2alg=3des-md5;modp1536
all does not work. sometimes syslog show this error:
esp string error: Non initial digit found for auth keylen, just after
"3des-md5-" (old_state=ST_AA_END)
sometimes no error reported, but peer side claims "no PFS set"
If using ikev1, then no problem.
Could somebody help to figure it out? thanks in advance.
--
Rgds,
Hans Yin
Web: homeofhans.homeip.net
Email: hansyin at gmail.com
MSN: hansyin at hotmail.com
Skype: hans_yin_vancouver
More information about the Users
mailing list