[Openswan Users] It seems unreasonable for openswan the way to parse gcm parameters of phase2alg.

Wed Apr 27 23:43:18 EDT 2011

Hi all,

    I am trying to use the gcm as phase2alg during my testing.
    I build up a test bed with Openswan----Openswan(2.6.33). 
    Here is my ipsec.conf.
----------------- 
config setup
 pluto=yes
 protostack=netkey

conn %default
  authby=secret
  auto=route
  ikev2=never   
  rekey=no

conn interop4
  left=80.1.1.200
  right=80.1.1.100
  ike=aes256-sha1;modp1024
  pfs=yes
 #  phase2alg=aes_ccm_c-216-null
#  phase2alg=aes_ccm_c-280-null
    phase2alg=aes_gcm_c-160-null
#  phase2alg=aes_gcm_c-288-null
  type=transport
  aggrmode=no
------------------

     I know the number in aes_ccm_c-???-null, should set as "AES key length" + "fixed 24 bits" for ccm.
    And I also get known the number in phase2alg=aes_gcm_c-???-null, should set as "AES key length" + "fixed 32 bits" for gcm.
    In this way I can set 160/224 for aes128gcm/aes192gcm. But when I want to set 288 for aes256gcm,  error log happen as following.
-------
 Apr 28 10:02:01 MILAN pluto[5469]: "interop4" #2: kernel algorithm does not like: kernel_alg_db_add() key_len not in range: alg_id=19, key_len=288, alg_minbits=128, alg_maxbits=256
Apr 28 10:02:01 MILAN pluto[5469]: "interop4" #2: unsupported ESP Transform ESP_AES_GCM_B from 80.1.1.200
Apr 28 10:02:01 MILAN pluto[5469]: "interop4" #2: no acceptable Proposal in IPsec SA
Apr 28 10:02:01 MILAN pluto[5469]: "interop4" #2: sending encrypted notification NO_PROPOSAL_CHOSEN to 80.1.1.200:500
--------

     So I am confused about how to set the parameter to Phase2alg, If I want to use AES_GCM with 256(AES key length) ? 
     I think the sanity check of openswan here is not reasonable. What's experts opinion?

--Adam

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110428/3a9c3c00/attachment.html 