[Openswan Users] IKE SHA type question

Ryan McLeod r.mcleod20 at gmail.com
Thu Jul 15 11:12:13 EDT 2010


It looks like it is an issue with mixmatch. Im not sure how to set the bits
for the hash on the Cisco, but on openswan /etc/ipsec.conf:

conn tunnel
     esp=aes-sha-256

 should work i'd imagine.

Ryan

On Thu, Jul 15, 2010 at 10:58 AM, Kevin White <openswan-kevin at kevbo.org>wrote:

> I'm trying to set up a VPN between Openswan and a Cisco device.  I'm
> using Openswan 2.4.9.
>
> The tunnel isn't coming up, but I have lots of things still to check.
> I've noticed one thing, and I'm curious if it is a problem:
>
> 000 "xxx":   IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)-MODP1536(5),
> AES_CBC(7)_256-SHA1(2)-MODP1024(2); flags=strict
> 000 "xxx":   IKE algorithms found:
> AES_CBC(7)_256-SHA1(2)_160-MODP1536(5),
> AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)
> 000 "xxx":   ESP algorithms wanted: AES(12)_256-SHA1(2); flags=strict
> 000 "xxx":   ESP algorithms loaded: AES(12)_256-SHA1(2); flags=strict
>
> Note that the ESP algorithms seem to match, but the IKE seems to have a
> problem.
>
> This is wanted:
>
> AES_CBC(7)_256-SHA1(2)-MODP1536(5)
>
> This is found:
>
> AES_CBC(7)_256-SHA1(2)_160-MODP1536(5)
>
> I kind of thought those two things were the same, but they appear to
> look different...so I'm not sure if this means I'm getting stuck at IKE.
>
> Is this a problem, or does it just look funny?
>
> I'm here:
>
> 000 #6: "xxx":500 STATE_MAIN_I2 (sent MI2, expecting MR2);
> EVENT_RETRANSMIT in 11s; nodpd
> 000 #6: pending Phase 2 for "xxx" replacing #0
> 000 #6: pending Phase 2 for "xxx" replacing #0
>
> but there can still be problems on the Cisco side: I don't control that
> side, and it might not even be configured for my connection yet.
>
> So, at this point, my question really is: is that an IKE algorithm
> mismatch, or is it just cosmetic?
>
> Thanks,
>
> Kevin
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100715/c3ed2938/attachment.html 


More information about the Users mailing list