[Openswan Users] Do Openswan support aes_ ctr as esp's encrypt algs ? support aes_x cbc as esp's authen alg?

汪洋旦 wangyangdan at hz.cn
Wed May 4 03:47:14 EDT 2011 

Hi all,
 
I am trying each alg listed by "ipsec auto status" as phase2alg during my testing.
I build up a test bed with Openswan----Openswan(2.6.33). 
 
And I met the problem that seems openswan don't support the following algs, although listed by "ipsec auto status".
 
Anybody know how to set the "aes_ctr" as esp's encrypt algs ? and how to set "aes_xcbc" as esp's authen alg? Thank.
 
 
Following is the failed case and error log:
1. failed to use aes_ctr as esp's encryp alg.
    I set the alg -- "phase2alg=aes_ctr-128-sha1" in ipsec.conf. 
----------------- 
[root at openswan ~]# cat /etc/ipsec.conf 
config setup
 pluto=yes
 protostack=netkey
conn %default
  authby=secret
  auto=route
  ikev2=never
  ikelifetime=600s
  rekeymargin=30s
  salifetime=1000s
  rekey=yes
conn interop4
  left=20.3.2.27
  leftsubnet=20.2.7.0/24
  right=20.3.2.11
  rightsubnet=20.1.1.0/24
  ike=3des-sha1;modp1024
  pfs=yes
  phase2alg=aes_ctr-128-sha1
  type=tunnel
  aggrmode=no
------------------

  and I got the error log during negociate with Peer (our Product, which support  aes_ctr): 
  "ERROR: netlink response for Add SA <A href="mailto:esp.8b100d8d at 20.3.2.11">esp.8b100d8d at 20.3.2.11</A> included errno 38: Function not implemented"
--------------
[root at openswan ~]# cat /var/log/secure
...
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: initiating Main Mode
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: ignoring unknown Vendor ID payload [af7557ec8fa949e5c3850465a3eecc41]
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: STATE_MAIN_I2: sent MI2, expecting MR2
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: STATE_MAIN_I3: sent MI3, expecting MR3
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: Main mode peer ID is ID_IPV4_ADDR: '20.3.2.11'
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
May  3 16:59:56 openswan pluto[1621]: "interop4" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+SAREFTRACK {using isakmp#1 msgid:94c62be5 proposal=AES_CTR(13)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: received and ignored informational message
May  3 16:59:56 openswan pluto[1621]: "interop4" #2: ERROR: netlink response for Add SA esp.8b100d8d at 20.3.2.11 included errno 38: Function not implemented
-------------- 
 
 2 failed to use aes_cbc as esp's AUTH alg.
    when I set "phase2alg=3des-aes_xcbc;modp2048" in ipsec.conf.   
    output the error log: "May  4 13:55:08 INTEL pluto[16607]: esp string error: hash_alg not found, enc_alg="3des", auth_alg="aes_xcbc", modp="" ..."    
    when I set "phase2alg=3des-aes_cbc;modp2048" in ipsec.conf.
     output the error log: "ASSERTION FAILED at /home/adam/tools/openswan-2.6.33/lib/libopenswan/alg_info.c:68: case 9 unexpected"
 
 

--Adam









-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110504/d7267a2f/attachment.html

More information about the Users mailing list