[Openswan Users] Question on ciphers

Patrick Naubert patrickn at xelerance.com
Wed Jul 22 13:15:05 EDT 2015


Rescued from the spam bucket.  Please remember to subscribe to the mailing list before posting to it.

From: Daniel Cave <dan.cave at icloud.com <mailto:dan.cave at icloud.com>>
Subject: Re: [Openswan Users] Question on ciphers
Date: July 22, 2015 at 12:54:28 PM EDT
To: "Mihir Shirali -X (mshirali - INFOSYS LIMITED at Cisco)" <mshirali at cisco.com <mailto:mshirali at cisco.com>>
Cc: users at lists.openswan.org <mailto:users at lists.openswan.org>


Mihir.. 
 
Firstly, this is really easy to answer... 

the grep you did is correct, however you may be using the wrong cipher -IF you comment out the AH/ESP parameters,  openswan  will *try* and automatically negotiate the connection when a proposal is made.

You can (and probably should) specify the ESP and AH ciphers separately.

ike=aes-128
phase2alg=blowfish
phase2=esp

(on my openswan to cisco ASA  I've done this

###############################
# Settings
###############################
    ike=3des-md5
    phase2alg=3des-md5
    phase2=esp
###############################
    ikelifetime=86400s
#    keyexchange=ike
    keylife=28800s
   ## was## keylife=86400s

Obviously both sides have to match.

I would start by looking at the logs and output from ipsec auto status to see if they both negotiate both phases,

hope that helps

Dan.

On Jul 22, 2015, at 05:22 PM, "Mihir Shirali -X (mshirali - INFOSYS LIMITED at Cisco)" <mshirali at cisco.com <mailto:mshirali at cisco.com>> wrote:

> Hi All,
>  
> I’m using RHEL 6.6 and openswan-2.6.32-37.el6.x86_64
> I had a couple of questions related to ciphers:
> 1 - When I run the ipsec auto –status, I do see Blowfish listed as one of the available ciphers:
> ipsec auto --status | grep BLOW
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
>  
> However, when I plug this into my config file, the tunnel does not come up. Could you please let me know if Blowfish is something which is unsupported
> <snip>
>         esp=blowfish448-sha1
> </snip>
>  
> 2 – I believe esp cipher can be specified as follows
>                 aes-sha1 OR
>                 aes128-sha1
> How does OpenSwan treat these 2 internally. Are they treated as 2 separate ciphers or the same one?
>  
> Regards,
> Mihir
> _______________________________________________
> Users at lists.openswan.org <mailto:Users at lists.openswan.org>
> https://lists.openswan.org/mailman/listinfo/users <https://lists.openswan.org/mailman/listinfo/users>
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy <https://flattr.com/thing/38387/IPsec-for-Linux-made-easy>
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 <http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150722/cc036e68/attachment-0001.html>


More information about the Users mailing list