[Openswan Users] AES config for .38
Andy Gay
andy at andynet.net
Tue Apr 10 19:44:29 EDT 2012
On Tue, 2012-04-10 at 17:26 -0400, dgoffe at cox.net wrote:
> In last 3 lines of this email are the esp and ike configs for the .38 release running on 2.6.24.4 kernel
>
Seems like maybe you don't have the AES kernel module loaded? Looks like
you may have a custom kernel there (2.6.24.4 doesn't look like a stock
distro kernel), perhaps you didn't enable AES? Run lsmod, look for any
aes stuff - here's what I get with a 2.6.32-5 kernel:
$ lsmod | grep aes
aes_i586 6816 26
aes_generic 25738 1 aes_i586
If the module(s) are available but not loaded for some reason, you may
need to modprobe them before starting openswan.
> When set to esp=3des-md5 and ike=3des-md5-modp1024 everything connects correctly.
> But as you can see if esp=aes128-sha1 and ike=aes128-sha1-modp1536
> esp results in ESP algorithms loaded: none
>
> Is this a build problem with the algorithm missing from the generic aes module?? It seems to find the IKE config ok.
>
Not certain about this, but I don't think IKE uses the kernel module -
it's done in userspace code in pluto. So the IKE part looks OK, as you
say.
BTW - it's probably not causing your problem, but I believe the esp=
config directive is deprecated these days, replaced with phase2alg=.
Here's how my conns are defined (using openswan 2.6.38 as well):
ike=aes128-sha
phase2alg=aes128-sha1;modp1024
> A little help would be appreciated. Thanks
Hope this helps...
>
> --------------------------------------------------------------------------------------------
>
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
> 000
> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
> 000
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64} trans={0,1,216} attrs={0,1,144}
> 000
> 000 "OPENSWAN10": 192.168.2.250<192.168.2.250>[@OPENSWAN10,+MC+XC+S=C]---192.168.2.253...173.161.2.210<173.161.2.210>[10.1.10.9,MS+XS+S=C]===10.129.0.8/29; unrouted; eroute owner: #0
> 000 "OPENSWAN10": myip=unset; hisip=unset;
> 000 "OPENSWAN10": ike_life: 79200s; ipsec_life: 79200s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "OPENSWAN10": policy: PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+MODECFGPULL+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,29; interface: eth0;
> 000 "OPENSWAN10": dpd: action:restart; delay:40; timeout:80;
> 000 "OPENSWAN10": newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "OPENSWAN10": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1536(5); flags=-strict
> 000 "OPENSWAN10": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1536(5)
> 000 "OPENSWAN10": ESP algorithms wanted: AES(12)_128-SHA1(2)_000; flags=-strict
> 000 "OPENSWAN10": ESP algorithms loaded: none
>
>
>
> ===============================================================
> ipsec.conf - Please ignore the "xxx" in the addresses. Thanks
> --------------------------------
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: osvpnmgr.c,v 1.25 2012/04/04 13:19:20 dgoffe Exp $
>
> # This file: /usr/local/share/doc/openswan/ipsec.conf-sample
> #
> # Manual: ipsec.conf.5
>
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
> plutodebug=all
> plutostderrlog=/tmp/pluto.log
> nat_traversal=yes
> oe=off
> protostack=netkey
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>
> # Add connections here
>
> conn OPENSWAN10
> type=tunnel
> left=192.168.xxx.xxx
> leftid=@OPENSWAN10
> leftnexthop=192.168.xxx.xxx
> modecfgpull=yes
> leftmodecfgclient=yes
> leftxauthclient=yes
> # Right security gateway, subnet behind it, nexthop toward left.
> right=173.161.xxx.xxx
> rightid=10.1.10.9
> rightsubnet=10.129.0.8/29
> rightxauthserver=yes
> rightmodecfgserver=yes
> keyingtries=0
> rekey=no
> ikelifetime=22h
> keylife=22h
> pfs=no
> aggrmode=yes
> dpddelay=40
> dpdtimeout=80
> dpdaction=restart
> auto=add
> auth=esp
> esp=aes128-sha1
> ike=aes128-sha1-modp1536
> authby=secret
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Users
mailing list