[Openswan Users] How to configure esp string for ikev2 in ipsec.conf file?

Paul Wouters paul at xelerance.com
Mon Jul 20 00:42:18 EDT 2009

On Thu, 16 Jul 2009, Jun Yin wrote:

> conn to_dut1
>     type=tunnel
>     authby=secret
>     left=
>     leftnexthop=
>     right=
>     rightsubnet=
>     rightnexthop=
>     ike=3des-sha1-modp1536!
>     #here I don't know how to specify dhgrp properly
>     esp=3des-md5;modp1024!

Don't use the "!" syntax. If any esp/ike is specified, it always means that is
the restrictive set.

>     ikev2=insist
>     keyexchange=ike
>     auto=add
> For the esp string, it only works when using "ike=3des-sha1", but I
> hope I can specify pfsgroup.  I tried below string:
> esp=3des-sha1,modp1536
> esp=3des-sha1;modp1536
> phase2alg=3des-md5-modp1536
> phase2alg=3des-md5,modp1536
> phase2alg=3des-md5;modp1536
> all does not work. sometimes syslog show this error:
> esp string error: Non initial digit found for auth keylen, just after
> "3des-md5-" (old_state=ST_AA_END)
> sometimes no error reported, but peer side claims "no PFS set"
> If using ikev1, then no problem.

If so, then this is a bug. Please file it on bugs.openswan.org.


More information about the Users mailing list