[Openswan Users] IKE / ESP options

Danilo Godec danilo.godec at agenda.si
Thu Apr 29 04:35:18 EDT 2010


Hi,

I'm having trouble with some IKE / ESP options. We need to create an
IPSEC VPN and we're supposed to set it up like this:

>
> ************************************************
> Authentication algorithm: HMAC-SHA1-96
> Encryption: AES_CBC 256-bit
> PFS: DH-Group2
> Lifetime: 22800 sec
>
>    IKE:
>
> Authentication algorithm: SHA 256-bit
> Encryption: AES-CBC 256-bit
> Diffie-Hellman Group: Group 2
> IKE Lifetyme: 86400 sec
> ************************************************

The 'ispec auto --status' says this:

> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
> keysizemin=168, keysizemax=168
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000
> 000 algorithm IKE encrypt: id=65289, name=OAKLEY_SSH_PRIVATE_65289,
> blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,
> blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,
> blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: id=6, name=OAKLEY_CAST_CBC, blocksize=8,
> keydeflen=128
> 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC,
> blocksize=8, keydeflen=128
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192

I tried to set 'ike', 'esp' and 'pfsgroup' parameters, but had no success:

        ike=aes256
        esp=aes256-sha1
        pfsgroup=modp1024
        ikelifetime=86400s
        keylife=28800s


After adding the connection, the 'ipsec auto --status' says:

> 000 "mytunnel-net":   newest ISAKMP SA: #2843; newest IPsec SA: #0;
> eroute owner: #0
> 000 "mytunnel-net":   IKE algorithms wanted: 7_256-1-5, 7_256-2-5,
> 7_256-1-2, 7_256-2-2, 7_256-1-1, 7_256-2-1, flags=-strict
> 000 "mytunnel-net":   IKE algorithms found:  7_256-1_128-5,
> 7_256-2_160-5, 7_256-1_128-2, 7_256-2_160-2, 7_256-1_128-1, 7_256-2_160-1,
> 000 "mytunnel-net":   IKE algorithm newest: AES_CBC_256-SHA2_256-MODP1024
> 000 "mytunnel-net":   ESP algorithms wanted: 12_256-2, ; pfsgroup=2;
> flags=-strict
> 000 "mytunnel-net":   ESP algorithms loaded: 12_256-2, ; pfsgroup=2;
> flags=-strict


What options should I use to fullfill the above requirements? Does my
OpenSwan support those algorithms at all?

 Best regards, Danilo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: danilo_godec.vcf
Type: text/x-vcard
Size: 216 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20100429/5418baec/attachment.vcf 


More information about the Users mailing list