[Openswan Users] Question about ike configuration

Paul Wouters paul at xelerance.com
Mon Mar 1 01:57:18 EST 2010

On Mon, 1 Mar 2010, mix.kao wrote:

> i have a question about the openswan config.
> I am trying to build a tunnel between two gateways.
> gateway1's ike set to AES256-SHA1-MODP768
> gateway2's ike set to AES128-SHA1-MODP1536
> and finally the tunnel use ==> IKE algorithm newest: AES_CBC_256-SHA1-MODP768

I do not understand this.

If the two gateway's set an ike= option, ONLY that proposal is allowed. If two
gateways set two different ike= options, they will never setup a tunnel. If
the ike= options (and other options/auth) match, the tunnel will work. If
you want to allow two proposals, you can allow them both. In your example:
gateway2 would use: ike=AES256-SHA1-MODP768,AES128-SHA1-MODP1536

However note that modp768 does NOT WORK with opensan because it is
insecure. The minimum openswan will use is modp1024


More information about the Users mailing list