[Openswan Users] Cipher support for Openswan

Mihir Shirali -X (mshirali - INFOSYS LIMITED at Cisco) mshirali at cisco.com
Thu Feb 12 13:28:57 EST 2015


All,

Thanks for the responses!

We're not using DES by default. We give the users an interface to choose the algorithm they wish to. I do see with DES, OpenSwan complains about it being weak. I was wondering if there is a list of weak ciphers available or ones which have been discontinued from OpenSwan. The "ipsec auto --status" command helped.

Regards,
Mihir

-----Original Message-----
From: users-bounces at lists.openswan.org [mailto:users-bounces at lists.openswan.org] On Behalf Of users-request at lists.openswan.org
Sent: Thursday, February 12, 2015 9:00 AM
To: users at lists.openswan.org
Subject: Users Digest, Vol 130, Issue 5

Send Users mailing list submissions to
	users at lists.openswan.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.openswan.org/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
	users-request at lists.openswan.org

You can reach the person managing the list at
	users-owner at lists.openswan.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of Users digest..."


Today's Topics:

   1. Cipher support for Openswan
      (Mihir Shirali -X (mshirali - INFOSYS LIMITED at Cisco))
   2. Re: Help connect Openswan on centos to Cisco ASA	5520 (Afzal Khan)


----------------------------------------------------------------------

Message: 1
Date: Wed, 11 Feb 2015 22:33:51 +0000
From: "Mihir Shirali -X (mshirali - INFOSYS LIMITED at Cisco)"
	<mshirali at cisco.com>
To: "users at lists.openswan.org" <users at lists.openswan.org>
Subject: [Openswan Users] Cipher support for Openswan
Message-ID:
	<2CB3FE548445B1499ECB673B53FFC30516EE412D at xmb-rcd-x13.cisco.com>
Content-Type: text/plain; charset="us-ascii"

Hi All,

I'm running openswan version openswan-2.6.32-37.el6.x86_64 on a RHEL6 server.  When using esp-des algorithm I see a message indicating it is too weak a cipher. However, when using a slightly older openswan version openswan-2.6.32-27.4.el6_5.x86_64, I don't see this error. Is there a page that confirms the list of algorithms which are no longer supported by openswan based on the version?

Regards,
Mihir
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150211/a09bacaf/attachment-0001.html>

------------------------------

Message: 2
Date: Thu, 12 Feb 2015 19:21:37 +0530
From: Afzal Khan <khanafzal at gmail.com>
To: Nick Howitt <nick at howitts.co.uk>
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] Help connect Openswan on centos to Cisco
	ASA	5520
Message-ID:
	<CAOXFw83zzcF2yWuYDH63zqrK6QMuu+v9iLxV45bW2afMP86dVQ at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Thank You Nick

The Cisco is running DES, I have requested them to use 3DES.


On Wed, Feb 11, 2015 at 4:38 PM, Nick Howitt <nick at howitts.co.uk> wrote:

> Is the Cisco really running with DES and not 3DES? If so, I believe 
> DES has been blocked in Openswan as it is too insecure. You can try 
> changing your ike and esp parameters in your conn, but I don't think it will work.
>
> Nick
>
>
> On 2015-02-11 09:28, Afzal Khan wrote:
>
>> Hi
>>
>> I am trying to connect to a cisco ASA 5520 at a client location. My 
>> server runs centos with openswan
>>
>> The config provided by the client is:
>>
>> Phase 1 Properties:
>> Authentication Method* Pre-Shared Secret Encryption Scheme IKE 
>> perfect fwd secrecy ? IKE DH GROUP2 Encryption Algorithm ? IKE DES 
>> Hashing Algorithm ? IKE SHA Renegotiate IKE SA time 86400 seconds
>>
>> Phase 2 Properties:
>> Transform-set (IPSEC Protocol) ESP
>> Perfect Fwd Secrecy - IPSEC DH GROUP2 Encryption Algorithm - IPSEC 
>> ESP-DES Hashing Algorithm - IPSEC ESP-SHA-HMAC Renegotiate IPSEC SA 
>> time 86400 seconds
>>
>> My config:
>>
>> conn xyz
>>         type=tunnel
>>         authby=secret
>>         auth=esp
>>         ikelifetime=86400s
>>         keylife=86400s
>>         esp=3des-sha1
>>         ike=3des-sha1-modp1024
>>         keyexchange=ike
>>         pfs=yes
>> #local - centos
>>         left=198.xxx.xxx.192
>>         leftsourceip=192.168.21.101
>> #remote - cisco
>>         right=121.xxx.xxx.244
>>         rightsubnet=172.19.16.0/24 [1]
>>
>>         auto=start
>>
>> /var/log/messages:
>>
>> Feb 11 14:28:37 host ipsec__plutorun: 002 added connection 
>> description "xyz"
>> Feb 11 14:28:37 host ipsec__plutorun: 104 "xyz" #1: STATE_MAIN_I1:
>> initiate
>>
>> /var/log/secure:
>>
>> Feb 11 14:28:37 host pluto[26936]: added connection description "xyz"
>> Feb 11 14:28:37 host pluto[26936]: loading secrets from 
>> "/etc/ipsec.d/xyz.secrets"
>> Feb 11 14:28:37 host pluto[26936]: "xyz" #1: initiating Main Mode Feb 
>> 11 14:28:37 host pluto[26936]: "xyz" #1: ignoring informational 
>> payload, type NO_PROPOSAL_CHOSEN msgid=00000000 Feb 11 14:28:37 host 
>> pluto[26936]: "xyz" #1: received and ignored informational message
>>
>> iptables -L:
>>
>> Chain INPUT (policy DROP)
>> target     prot opt source               destination
>> ACCEPT     all  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
>> state RELATED,ESTABLISHED
>> ...
>> ACCEPT     all  --  127.0.0.1            0.0.0.0/0 [2]
>> icmp_packets  icmp --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
>>
>> ACCEPT     esp  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
>> ACCEPT     udp  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
>> udp dpt:500
>> ACCEPT     udp  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
>> udp dpt:4500
>> DROP       all  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
>>
>> Chain FORWARD (policy ACCEPT)
>> target     prot opt source               destination
>>
>> Chain OUTPUT (policy DROP)
>> target     prot opt source               destination
>> ACCEPT     all  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
>> state RELATED,ESTABLISHED
>> ...
>> ACCEPT     all  --  0.0.0.0/0 [2]            127.0.0.1
>> icmp_packets  icmp --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
>>
>> ACCEPT     esp  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
>> ACCEPT     udp  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
>> udp dpt:500
>> ACCEPT     udp  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
>> udp dpt:4500
>> ...
>> ACCEPT     tcp  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
>> tcp dpt:444
>> LOG_DROP   all  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
>>
>> What am i doing wrong here?
>>
>> Please help me with this
>>
>> Thank You
>>
>> Links:
>> ------
>> [1] http://172.19.16.0/24
>> [2] http://0.0.0.0/0
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: 
>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283
>> 155
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150212/f19271c4/attachment-0001.html>

------------------------------

_______________________________________________
Users mailing list
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users


End of Users Digest, Vol 130, Issue 5
*************************************


More information about the Users mailing list