[Openswan Users] It seems unreasonable f or openswan the way to parse gcm/ccm para meters of phase2alg.

汪洋旦 wangyangdan at hz.cn
Wed May 4 03:01:35 EDT 2011


Hi all,
 
I am trying to use the gcm/ccm as phase2alg during my testing.
I build up a test bed with Openswan----Openswan(2.6.33). 

Here is my ipsec.conf.
----------------- 
config setup
 pluto=yes
 protostack=netkey

conn %default
  authby=secret
  auto=route
  ikev2=never   
  rekey=no

conn interop4
  left=80.1.1.200
  right=80.1.1.100
  ike=aes256-sha1;modp1024
  pfs=yes
 #  phase2alg=aes_ccm_c-216-null
#  phase2alg=aes_ccm_c-280-null
    phase2alg=aes_gcm_c-160-null
#  phase2alg=aes_gcm_c-288-null
  type=transport
  aggrmode=no
------------------
 
 I know the number in aes_ccm_c-???-null, should set as "AES key length" + "fixed 24 bits" for ccm.
And I also get known the number in phase2alg=aes_gcm_c-???-null, should set as "AES key length" + "fixed 32 bits" for gcm.
In this way I can set 160/224 for aes128gcm/aes192gcm. But when I want to set 288 for aes256gcm,  error log happen as following.
-------
 Apr 28 10:02:01 MILAN pluto[5469]: "interop4" #2: kernel algorithm does not like: kernel_alg_db_add() key_len not in range: alg_id=19, key_len=288, alg_minbits=128, alg_maxbits=256
Apr 28 10:02:01 MILAN pluto[5469]: "interop4" #2: unsupported ESP Transform ESP_AES_GCM_B from 80.1.1.200
Apr 28 10:02:01 MILAN pluto[5469]: "interop4" #2: no acceptable Proposal in IPsec SA
Apr 28 10:02:01 MILAN pluto[5469]: "interop4" #2: sending encrypted notification NO_PROPOSAL_CHOSEN to 80.1.1.200:500
--------
 
 So I am confused about how to set the parameter to Phase2alg, If I want to use AES_GCM with 256(AES key length) ? 
 I think the sanity check of openswan here is not reasonable. What's expert's opinion?
 Thanks.
 
--Adam



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110504/f94375a1/attachment-0001.html 


More information about the Users mailing list