[Openswan Users] How to configure esp string for ikev2 in ipsec.conf file?
Paul Wouters
paul at xelerance.com
Mon Jul 20 00:42:18 EDT 2009
On Thu, 16 Jul 2009, Jun Yin wrote:
> conn to_dut1
> type=tunnel
> authby=secret
> left=192.168.5.221
> leftnexthop=192.168.5.112
> right=192.168.2.100
> rightsubnet=192.168.6.0/24
> rightnexthop=192.168.6.100
> ike=3des-sha1-modp1536!
> #here I don't know how to specify dhgrp properly
> esp=3des-md5;modp1024!
Don't use the "!" syntax. If any esp/ike is specified, it always means that is
the restrictive set.
> ikev2=insist
> keyexchange=ike
> auto=add
>
>
> For the esp string, it only works when using "ike=3des-sha1", but I
> hope I can specify pfsgroup. I tried below string:
>
> esp=3des-sha1,modp1536
> esp=3des-sha1;modp1536
> phase2alg=3des-md5-modp1536
> phase2alg=3des-md5,modp1536
> phase2alg=3des-md5;modp1536
>
> all does not work. sometimes syslog show this error:
> esp string error: Non initial digit found for auth keylen, just after
> "3des-md5-" (old_state=ST_AA_END)
> sometimes no error reported, but peer side claims "no PFS set"
>
> If using ikev1, then no problem.
If so, then this is a bug. Please file it on bugs.openswan.org.
Paul
More information about the Users
mailing list