[Openswan Users] Should Openswan 2.6.24 do kernel patch?

mix.kao mix.kao at cipherium.com.tw
Sun Feb 7 21:27:11 EST 2010 

Hi Paul,

yes, i use the klips as a kernel module (ipsec.ko)
And i have crypto_algapi with des_generic

ecb                     1152  0
cbc                     1696  0
md5                     3872  0
cryptomgr              71344  0
crypto_blkcipher        6468  3 ecb,cbc,cryptomgr
aead                    3200  1 cryptomgr
des_generic            16128  0
crypto_algapi           7648  7 
ecb,cbc,md5,cryptomgr,crypto_blkcipher,aead,des_generic
ipsec                 337492  2
cryptodev               9732  2
ixp4xx                  6992  0
ocf                    15304  2 cryptodev,ixp4xx

========================================================================

and the ipsec.conf

version	2.0

config setup
	interfaces="ipsec0=lo ipsec1=ixp0 ipsec3=eth10 ipsec4=eth11 
ipsec5=eth12 ipsec6=eth13 ipsec7=eth14"
	protostack=klips
	klipsdebug=none
	plutodebug=none
	uniqueids=yes
	postpluto="/ramfs/bin/ipsec_postpluto"
	plutostderrlog="/tmp/ipsec.log"

conn %default
	type=tunnel
	#right=192.168.1.1
	rightsubnet=0.0.0.0/0
	auth=esp
	authby=secret
	ike=3des-sha1-MODP1024,3des-md5-MODP1024,3des-sha1-MODP768,3des-md5-MODP768,des-sha1-MODP1024,des-md5-MODP1024,des-sha1-MODP768,des-md5-MODP768
	esp=3des-sha1-96,3des-md5-96,des-sha1-96,des-md5-96
	disablearrivalcheck=no
	dpddelay=10
	dpdtimeout=15
	dpdaction=clear
	keyingtries=15
	failureshunt=drop
	keylife=24h
         ikelifetime=8h
         rekeymargin=10m
         rekey=no
	pfs=no
	auto=add
	rightupdown="/usr/local/lib/ipsec/_updown"

include /etc/ipsec.d/conf/ipsec.*.conf


=====================================================================================

ipsec whack --status

I only get DES support on IKE, no ESP_DES.
Anything i missing?

Thanks

000 using kernel interface: klips
000 interface ipsec0/lo 127.0.0.1
000 interface ipsec1/ixp0 10.29.3.21
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= was not specified, or there was a 
syntax
000          error in that line. 'left/rightsubnet=%priv' will not work!
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, 
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, 
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=1, name=OAKLEY_DES_CBC, blocksize=8, 
keydeflen=64
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, 
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, 
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, 
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, 
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} 
trans={0,0,0} attrs={0,0,0}
000
000
000



On 02/07/2010 02:03 AM, Paul Wouters wrote:
> On Sat, 6 Feb 2010, mix.kao wrote:
>
>> i built the openswan 2.6.24 (klips) and kernel 2.6.28 to do IPSec.
>> Does the openswan still need to patch my kernel source? Or in this
>> version, we no need to patch the kernel?
>
> If you meant the NAT-T patch, then no you do not. If you are happy
> with klips as a module, you do not need to recompile your kernel.
>
>> Another question about the DES encryption
>> I know the DES is not secure anymore.
>
> It's not just not secure. It's only slightly better then rot13.
>
>> I install the openswan 2.6.24 in my ARCH Linux with DES support
>> I can get DES support in phase 2 (ESP_DES), but there is not DES support
>> in phase 1 (IKE)
>
> You will need to enable 1DES in both userland and klips. klips only
> supports 1des via cryptoapi.
>
>> The same version of openswan
>> Can i say openswan 2.6.24 still support DES in phase 1/2 but how to
>> enable it or how to make it work?
>
> You must explicitely specify it on the ike/esp lines to use it, as we
> do no include 1des in the default proposal list.
>
> Paul
>
>

More information about the Users mailing list