[Openswan Users] AES config for .38
dgoffe at cox.net
dgoffe at cox.net
Tue Apr 10 17:26:21 EDT 2012
In last 3 lines of this email are the esp and ike configs for the .38 release running on 2.6.24.4 kernel
When set to esp=3des-md5 and ike=3des-md5-modp1024 everything connects correctly.
But as you can see if esp=aes128-sha1 and ike=aes128-sha1-modp1536
esp results in ESP algorithms loaded: none
Is this a build problem with the algorithm missing from the generic aes module?? It seems to find the IKE config ok.
A little help would be appreciated. Thanks
--------------------------------------------------------------------------------------------
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64} trans={0,1,216} attrs={0,1,144}
000
000 "OPENSWAN10": 192.168.2.250<192.168.2.250>[@OPENSWAN10,+MC+XC+S=C]---192.168.2.253...173.161.2.210<173.161.2.210>[10.1.10.9,MS+XS+S=C]===10.129.0.8/29; unrouted; eroute owner: #0
000 "OPENSWAN10": myip=unset; hisip=unset;
000 "OPENSWAN10": ike_life: 79200s; ipsec_life: 79200s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "OPENSWAN10": policy: PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+MODECFGPULL+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,29; interface: eth0;
000 "OPENSWAN10": dpd: action:restart; delay:40; timeout:80;
000 "OPENSWAN10": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "OPENSWAN10": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1536(5); flags=-strict
000 "OPENSWAN10": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1536(5)
000 "OPENSWAN10": ESP algorithms wanted: AES(12)_128-SHA1(2)_000; flags=-strict
000 "OPENSWAN10": ESP algorithms loaded: none
===============================================================
ipsec.conf - Please ignore the "xxx" in the addresses. Thanks
--------------------------------
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: osvpnmgr.c,v 1.25 2012/04/04 13:19:20 dgoffe Exp $
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
plutodebug=all
plutostderrlog=/tmp/pluto.log
nat_traversal=yes
oe=off
protostack=netkey
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
# Add connections here
conn OPENSWAN10
type=tunnel
left=192.168.xxx.xxx
leftid=@OPENSWAN10
leftnexthop=192.168.xxx.xxx
modecfgpull=yes
leftmodecfgclient=yes
leftxauthclient=yes
# Right security gateway, subnet behind it, nexthop toward left.
right=173.161.xxx.xxx
rightid=10.1.10.9
rightsubnet=10.129.0.8/29
rightxauthserver=yes
rightmodecfgserver=yes
keyingtries=0
rekey=no
ikelifetime=22h
keylife=22h
pfs=no
aggrmode=yes
dpddelay=40
dpdtimeout=80
dpdaction=restart
auto=add
auth=esp
esp=aes128-sha1
ike=aes128-sha1-modp1536
authby=secret
More information about the Users
mailing list