[Openswan Users] IKE SHA type question
Kevin White
openswan-kevin at kevbo.org
Thu Jul 15 10:58:02 EDT 2010
I'm trying to set up a VPN between Openswan and a Cisco device. I'm
using Openswan 2.4.9.
The tunnel isn't coming up, but I have lots of things still to check.
I've noticed one thing, and I'm curious if it is a problem:
000 "xxx": IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)-MODP1536(5),
AES_CBC(7)_256-SHA1(2)-MODP1024(2); flags=strict
000 "xxx": IKE algorithms found:
AES_CBC(7)_256-SHA1(2)_160-MODP1536(5),
AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)
000 "xxx": ESP algorithms wanted: AES(12)_256-SHA1(2); flags=strict
000 "xxx": ESP algorithms loaded: AES(12)_256-SHA1(2); flags=strict
Note that the ESP algorithms seem to match, but the IKE seems to have a
problem.
This is wanted:
AES_CBC(7)_256-SHA1(2)-MODP1536(5)
This is found:
AES_CBC(7)_256-SHA1(2)_160-MODP1536(5)
I kind of thought those two things were the same, but they appear to
look different...so I'm not sure if this means I'm getting stuck at IKE.
Is this a problem, or does it just look funny?
I'm here:
000 #6: "xxx":500 STATE_MAIN_I2 (sent MI2, expecting MR2);
EVENT_RETRANSMIT in 11s; nodpd
000 #6: pending Phase 2 for "xxx" replacing #0
000 #6: pending Phase 2 for "xxx" replacing #0
but there can still be problems on the Cisco side: I don't control that
side, and it might not even be configured for my connection yet.
So, at this point, my question really is: is that an IKE algorithm
mismatch, or is it just cosmetic?
Thanks,
Kevin
More information about the Users
mailing list