[Openswan Users] AES config for .38

dgoffe at cox.net dgoffe at cox.net
Tue Apr 10 17:26:21 EDT 2012


In last 3 lines of this email are the esp and ike configs for the .38 release running on 2.6.24.4 kernel

When set to esp=3des-md5 and ike=3des-md5-modp1024 everything connects correctly.
But as you can see if esp=aes128-sha1 and ike=aes128-sha1-modp1536
  esp results in  ESP algorithms loaded: none

Is this a build problem with the algorithm missing from the generic aes module?? It seems to find the IKE config ok. 

A little help would be appreciated. Thanks

--------------------------------------------------------------------------------------------

000 
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000 
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64} trans={0,1,216} attrs={0,1,144} 
000 
000 "OPENSWAN10": 192.168.2.250<192.168.2.250>[@OPENSWAN10,+MC+XC+S=C]---192.168.2.253...173.161.2.210<173.161.2.210>[10.1.10.9,MS+XS+S=C]===10.129.0.8/29; unrouted; eroute owner: #0
000 "OPENSWAN10":     myip=unset; hisip=unset;
000 "OPENSWAN10":   ike_life: 79200s; ipsec_life: 79200s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 
000 "OPENSWAN10":   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+MODECFGPULL+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,29; interface: eth0; 
000 "OPENSWAN10":   dpd: action:restart; delay:40; timeout:80;  
000 "OPENSWAN10":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "OPENSWAN10":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1536(5); flags=-strict
000 "OPENSWAN10":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1536(5)
000 "OPENSWAN10":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; flags=-strict
000 "OPENSWAN10":   ESP algorithms loaded: none



===============================================================
ipsec.conf - Please ignore the "xxx" in the addresses. Thanks
--------------------------------
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: osvpnmgr.c,v 1.25 2012/04/04 13:19:20 dgoffe Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        plutodebug=all
        plutostderrlog=/tmp/pluto.log
        nat_traversal=yes
        oe=off
        protostack=netkey
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

# Add connections here

conn OPENSWAN10
               type=tunnel
               left=192.168.xxx.xxx
               leftid=@OPENSWAN10
               leftnexthop=192.168.xxx.xxx
               modecfgpull=yes
               leftmodecfgclient=yes
               leftxauthclient=yes
               # Right security gateway, subnet behind it, nexthop toward left.
               right=173.161.xxx.xxx
               rightid=10.1.10.9
               rightsubnet=10.129.0.8/29
               rightxauthserver=yes
               rightmodecfgserver=yes
               keyingtries=0
               rekey=no
               ikelifetime=22h
               keylife=22h
               pfs=no
               aggrmode=yes
               dpddelay=40
               dpdtimeout=80
               dpdaction=restart
               auto=add
               auth=esp
               esp=aes128-sha1
               ike=aes128-sha1-modp1536
               authby=secret





More information about the Users mailing list