[Openswan Users] It seems unreasonable f or openswan the way to parse gcm/ccm para meters of phase2alg.
汪洋旦
wangyangdan at hz.cn
Wed May 4 03:01:35 EDT 2011
Hi all,
I am trying to use the gcm/ccm as phase2alg during my testing.
I build up a test bed with Openswan----Openswan(2.6.33).
Here is my ipsec.conf.
-----------------
config setup
pluto=yes
protostack=netkey
conn %default
authby=secret
auto=route
ikev2=never
rekey=no
conn interop4
left=80.1.1.200
right=80.1.1.100
ike=aes256-sha1;modp1024
pfs=yes
# phase2alg=aes_ccm_c-216-null
# phase2alg=aes_ccm_c-280-null
phase2alg=aes_gcm_c-160-null
# phase2alg=aes_gcm_c-288-null
type=transport
aggrmode=no
------------------
I know the number in aes_ccm_c-???-null, should set as "AES key length" + "fixed 24 bits" for ccm.
And I also get known the number in phase2alg=aes_gcm_c-???-null, should set as "AES key length" + "fixed 32 bits" for gcm.
In this way I can set 160/224 for aes128gcm/aes192gcm. But when I want to set 288 for aes256gcm, error log happen as following.
-------
Apr 28 10:02:01 MILAN pluto[5469]: "interop4" #2: kernel algorithm does not like: kernel_alg_db_add() key_len not in range: alg_id=19, key_len=288, alg_minbits=128, alg_maxbits=256
Apr 28 10:02:01 MILAN pluto[5469]: "interop4" #2: unsupported ESP Transform ESP_AES_GCM_B from 80.1.1.200
Apr 28 10:02:01 MILAN pluto[5469]: "interop4" #2: no acceptable Proposal in IPsec SA
Apr 28 10:02:01 MILAN pluto[5469]: "interop4" #2: sending encrypted notification NO_PROPOSAL_CHOSEN to 80.1.1.200:500
--------
So I am confused about how to set the parameter to Phase2alg, If I want to use AES_GCM with 256(AES key length) ?
I think the sanity check of openswan here is not reasonable. What's expert's opinion?
Thanks.
--Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110504/f94375a1/attachment-0001.html
More information about the Users
mailing list