[Openswan Users] IKE / ESP options

Danilo Godec danilo.godec at agenda.si
Wed May 5 03:59:54 EDT 2010 

On 30. 04. 2010 20:32, Paul Wouters wrote:
> On Fri, 30 Apr 2010, Danilo Godec wrote:
>
>>> Apr 30 09:14:22 fw pluto[15466]: "mytunnel-net" #4: sent MR3, ISAKMP
>>> SA established
>>> Apr 30 09:14:22 fw pluto[15466]: "mytunnel-net" #5: no acceptable
>>> Proposal in IPsec SA
>
> Your phase2 paramters are misconfigured between the endpoints

Well, that was quite obvious, but I couldn't find a working setup on my
side.

Then I asked the other admin to tweak their configuration and he allowed
other algorithms and it finaly works:

> 000 "mytunnel-net":   IKE algorithms wanted: 7_000-1-5, 7_000-2-5,
> 7_000-1-2, 7_000-2-2, 7_000-1-1, 7_000-2-1, flags=-strict
> 000 "mytunnel-net":   IKE algorithms found:  7_128-1_128-5,
> 7_128-2_160-5, 7_128-1_128-2, 7_128-2_160-2, 7_128-1_128-1, 7_128-2_160-1,
> 000 "mytunnel-net":   IKE algorithm newest: *AES_CBC_128-SHA-MODP1024*
> 000 "mytunnel-net":   ESP algorithms wanted: 3_000-1, 3_000-2, ;
> pfsgroup=5; flags=-strict
> 000 "mytunnel-net":   ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
> 000 "mytunnel-net":   ESP algorithm newest: *3DES_0-HMAC_SHA1;
> pfsgroup=MODP1536*

My setup is this regarding algorithms is this:

>         ike=aes
>         ikelifetime=86400s
>         keylife=28800s
>         authby=secret

If I don't specify 'ike=aes', it doesn't work...


It appears I'm missing 'AES' for ESP:

> # ipsec auto --status | grep ESP
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
> keysizemin=168, keysizemax=168
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160



Thanks for the help, Danilo


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100505/ad7d04ad/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: danilo_godec.vcf
Type: text/x-vcard
Size: 206 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20100505/ad7d04ad/attachment.vcf

More information about the Users mailing list