[Openswan Users] IKE algorithm newest

kAja Ziegler ziegleka at gmail.com
Thu Sep 20 02:48:12 EDT 2012 

Hi,

  I have two nodes with CentOS 6.3 and Openswan 2.6.32 and with the same
ipsec configuration. I have two questions about "IKE algorithm newest",
when IKEv2 is used.

conn <name>
        left=<ip>
        leftsubnet=<subnet>
        leftid=@<id_fqdn>
        leftrsasigkey=<rsa_key>

        right=<ip>
        rightsubnet=<subnet>
        rightid=@<id_fqdn>
        rightrsasigkey=<rsa_key>

        authby=rsasig
        ike=<IKE>
        ikev2=propose
        phase2alg=aes256-sha1;modp2048

        auto=add


1. When I set ike=3des-sha1;modp2048 on both nodes, then the "IKE algorithm
newest" is BLOWFISH_CBC_192-SHA1-MODP2048 on both sides. Is it OK or is
this a bug - 3DES -> BLOWFISH?

000 "<name>":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "<name>":   policy:
RSASIG+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+IKEv2Init+SAREFTRACK; prio: 23,16;
interface: eth0;
000 "<name>":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "<name>":   IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)_000-MODP2048(14); flags=-strict
000 "<name>":   IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP2048(14)
000 "<name>":   IKE algorithm newest: BLOWFISH_CBC_192-SHA1-MODP2048
000 "<name>":   ESP algorithms wanted: AES(12)_256-SHA1(2)_000;
pfsgroup=MODP2048(14); flags=-strict
000 "<name>":   ESP algorithms loaded: AES(12)_256-SHA1(2)_160
000 "<name>":   ESP algorithm newest: AES_256-HMAC_SHA1; pfsgroup=MODP2048


2. When I set ike=aes256-sha1;modp2048 on both nodes, then the "IKE
algorithm newest" is _256-SHA1-MODP2048 on both sides. Is it OK or is this
a bug - missing AES at beginning?

000 "<name>":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "<name>":   policy:
RSASIG+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+IKEv2Init+SAREFTRACK; prio: 23,16;
interface: eth0;
000 "<name>":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "<name>":   IKE algorithms wanted:
AES_CBC(7)_256-SHA1(2)_000-MODP2048(14); flags=-strict
000 "<name>":   IKE algorithms found:
AES_CBC(7)_256-SHA1(2)_160-MODP2048(14)
000 "<name>":   IKE algorithm newest: _256-SHA1-MODP2048
000 "<name>":   ESP algorithms wanted: AES(12)_256-SHA1(2)_000;
pfsgroup=MODP2048(14); flags=-strict
000 "<name>":   ESP algorithms loaded: AES(12)_256-SHA1(2)_160
000 "<name>":   ESP algorithm newest: AES_256-HMAC_SHA1; pfsgroup=MODP2048

Best regards,
-- 
Karel Ziegler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120920/b9e2dd5f/attachment.html>

More information about the Users mailing list