[Openswan Users] AES config for .38

Andy Gay andy at andynet.net
Tue Apr 10 19:44:29 EDT 2012 

On Tue, 2012-04-10 at 17:26 -0400, dgoffe at cox.net wrote:
> In last 3 lines of this email are the esp and ike configs for the .38 release running on 2.6.24.4 kernel
> 
Seems like maybe you don't have the AES kernel module loaded? Looks like
you may have a custom kernel there (2.6.24.4 doesn't look like a stock
distro kernel), perhaps you didn't enable AES? Run lsmod, look for any
aes stuff - here's what I get with a 2.6.32-5 kernel:
$ lsmod | grep aes
aes_i586 6816 26
aes_generic 25738 1 aes_i586

If the module(s) are available but not loaded for some reason, you may
need to modprobe them before starting openswan.


> When set to esp=3des-md5 and ike=3des-md5-modp1024 everything connects correctly.
> But as you can see if esp=aes128-sha1 and ike=aes128-sha1-modp1536
>   esp results in  ESP algorithms loaded: none
> 
> Is this a build problem with the algorithm missing from the generic aes module?? It seems to find the IKE config ok. 
> 
Not certain about this, but I don't think IKE uses the kernel module -
it's done in userspace code in pluto. So the IKE part looks OK, as you
say.

BTW - it's probably not causing your problem, but I believe the esp=
config directive is deprecated these days, replaced with phase2alg=.
Here's how my conns are defined (using openswan 2.6.38 as well):
  ike=aes128-sha
  phase2alg=aes128-sha1;modp1024



> A little help would be appreciated. Thanks

Hope this helps...

> 
> --------------------------------------------------------------------------------------------
> 
> 000 
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
> 000 
> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
> 000 
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64} trans={0,1,216} attrs={0,1,144} 
> 000 
> 000 "OPENSWAN10": 192.168.2.250<192.168.2.250>[@OPENSWAN10,+MC+XC+S=C]---192.168.2.253...173.161.2.210<173.161.2.210>[10.1.10.9,MS+XS+S=C]===10.129.0.8/29; unrouted; eroute owner: #0
> 000 "OPENSWAN10":     myip=unset; hisip=unset;
> 000 "OPENSWAN10":   ike_life: 79200s; ipsec_life: 79200s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 
> 000 "OPENSWAN10":   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+MODECFGPULL+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,29; interface: eth0; 
> 000 "OPENSWAN10":   dpd: action:restart; delay:40; timeout:80;  
> 000 "OPENSWAN10":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
> 000 "OPENSWAN10":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1536(5); flags=-strict
> 000 "OPENSWAN10":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1536(5)
> 000 "OPENSWAN10":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; flags=-strict
> 000 "OPENSWAN10":   ESP algorithms loaded: none
> 
> 
> 
> ===============================================================
> ipsec.conf - Please ignore the "xxx" in the addresses. Thanks
> --------------------------------
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: osvpnmgr.c,v 1.25 2012/04/04 13:19:20 dgoffe Exp $
> 
> # This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
> 
> 
> version 2.0     # conforms to second version of ipsec.conf specification
> 
> # basic configuration
> config setup
>         plutodebug=all
>         plutostderrlog=/tmp/pluto.log
>         nat_traversal=yes
>         oe=off
>         protostack=netkey
>         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> 
> # Add connections here
> 
> conn OPENSWAN10
>                type=tunnel
>                left=192.168.xxx.xxx
>                leftid=@OPENSWAN10
>                leftnexthop=192.168.xxx.xxx
>                modecfgpull=yes
>                leftmodecfgclient=yes
>                leftxauthclient=yes
>                # Right security gateway, subnet behind it, nexthop toward left.
>                right=173.161.xxx.xxx
>                rightid=10.1.10.9
>                rightsubnet=10.129.0.8/29
>                rightxauthserver=yes
>                rightmodecfgserver=yes
>                keyingtries=0
>                rekey=no
>                ikelifetime=22h
>                keylife=22h
>                pfs=no
>                aggrmode=yes
>                dpddelay=40
>                dpdtimeout=80
>                dpdaction=restart
>                auto=add
>                auth=esp
>                esp=aes128-sha1
>                ike=aes128-sha1-modp1536
>                authby=secret
> 
> 
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Users mailing list