[Openswan Users] IKE / ESP options

Paul Wouters paul at xelerance.com
Thu Apr 29 14:58:28 EDT 2010


On Thu, 29 Apr 2010, Danilo Godec wrote:

> I'm having trouble with some IKE / ESP options. We need to create an
> IPSEC VPN and we're supposed to set it up like this:

You have algos you need. You will have to show us more of your problem

Paul

>>
>> ************************************************
>> Authentication algorithm: HMAC-SHA1-96
>> Encryption: AES_CBC 256-bit
>> PFS: DH-Group2
>> Lifetime: 22800 sec
>>
>>    IKE:
>>
>> Authentication algorithm: SHA 256-bit
>> Encryption: AES-CBC 256-bit
>> Diffie-Hellman Group: Group 2
>> IKE Lifetyme: 86400 sec
>> ************************************************
>
> The 'ispec auto --status' says this:
>
>> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
>> keysizemin=168, keysizemax=168
>> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
>> keysizemin=128, keysizemax=128
>> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
>> keysizemin=160, keysizemax=160
>> 000
>> 000 algorithm IKE encrypt: id=65289, name=OAKLEY_SSH_PRIVATE_65289,
>> blocksize=16, keydeflen=128
>> 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,
>> blocksize=16, keydeflen=128
>> 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,
>> blocksize=16, keydeflen=128
>> 000 algorithm IKE encrypt: id=6, name=OAKLEY_CAST_CBC, blocksize=8,
>> keydeflen=128
>> 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC,
>> blocksize=8, keydeflen=128
>> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
>> keydeflen=128
>> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
>> keydeflen=192
>> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
>> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
>> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
>> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
>> 000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
>> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
>> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
>> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
>> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
>> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
>> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
>> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
>
> I tried to set 'ike', 'esp' and 'pfsgroup' parameters, but had no success:
>
>        ike=aes256
>        esp=aes256-sha1
>        pfsgroup=modp1024
>        ikelifetime=86400s
>        keylife=28800s
>
>
> After adding the connection, the 'ipsec auto --status' says:
>
>> 000 "mytunnel-net":   newest ISAKMP SA: #2843; newest IPsec SA: #0;
>> eroute owner: #0
>> 000 "mytunnel-net":   IKE algorithms wanted: 7_256-1-5, 7_256-2-5,
>> 7_256-1-2, 7_256-2-2, 7_256-1-1, 7_256-2-1, flags=-strict
>> 000 "mytunnel-net":   IKE algorithms found:  7_256-1_128-5,
>> 7_256-2_160-5, 7_256-1_128-2, 7_256-2_160-2, 7_256-1_128-1, 7_256-2_160-1,
>> 000 "mytunnel-net":   IKE algorithm newest: AES_CBC_256-SHA2_256-MODP1024
>> 000 "mytunnel-net":   ESP algorithms wanted: 12_256-2, ; pfsgroup=2;
>> flags=-strict
>> 000 "mytunnel-net":   ESP algorithms loaded: 12_256-2, ; pfsgroup=2;
>> flags=-strict
>
>
> What options should I use to fullfill the above requirements? Does my
> OpenSwan support those algorithms at all?
>
> Best regards, Danilo
>
>


More information about the Users mailing list