[Openswan Users] IKE / ESP options
Danilo Godec
danilo.godec at agenda.si
Wed May 5 03:59:54 EDT 2010
On 30. 04. 2010 20:32, Paul Wouters wrote:
> On Fri, 30 Apr 2010, Danilo Godec wrote:
>
>>> Apr 30 09:14:22 fw pluto[15466]: "mytunnel-net" #4: sent MR3, ISAKMP
>>> SA established
>>> Apr 30 09:14:22 fw pluto[15466]: "mytunnel-net" #5: no acceptable
>>> Proposal in IPsec SA
>
> Your phase2 paramters are misconfigured between the endpoints
Well, that was quite obvious, but I couldn't find a working setup on my
side.
Then I asked the other admin to tweak their configuration and he allowed
other algorithms and it finaly works:
> 000 "mytunnel-net": IKE algorithms wanted: 7_000-1-5, 7_000-2-5,
> 7_000-1-2, 7_000-2-2, 7_000-1-1, 7_000-2-1, flags=-strict
> 000 "mytunnel-net": IKE algorithms found: 7_128-1_128-5,
> 7_128-2_160-5, 7_128-1_128-2, 7_128-2_160-2, 7_128-1_128-1, 7_128-2_160-1,
> 000 "mytunnel-net": IKE algorithm newest: *AES_CBC_128-SHA-MODP1024*
> 000 "mytunnel-net": ESP algorithms wanted: 3_000-1, 3_000-2, ;
> pfsgroup=5; flags=-strict
> 000 "mytunnel-net": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
> 000 "mytunnel-net": ESP algorithm newest: *3DES_0-HMAC_SHA1;
> pfsgroup=MODP1536*
My setup is this regarding algorithms is this:
> ike=aes
> ikelifetime=86400s
> keylife=28800s
> authby=secret
If I don't specify 'ike=aes', it doesn't work...
It appears I'm missing 'AES' for ESP:
> # ipsec auto --status | grep ESP
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
> keysizemin=168, keysizemax=168
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
Thanks for the help, Danilo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100505/ad7d04ad/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: danilo_godec.vcf
Type: text/x-vcard
Size: 206 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20100505/ad7d04ad/attachment.vcf
More information about the Users
mailing list