[Openswan Users] Question on ciphers

Mihir Shirali -X (mshirali - INFOSYS LIMITED at Cisco) mshirali at cisco.com
Wed Jul 22 13:16:23 EDT 2015 

Hi Dan,

My understanding is that it’s not really necessary to split the phase 2 algorithms as you’ve suggested. If you don’t phase 2 inherits the DH group setting of phase 1. In fact I have this working with 3des. AES128 and AES256. It’s just that I have an issue with blowfish cipher. I also went ahead and tried your suggestion i.e. replace esp with phase2 and phase2alg like this:
       phase2=esp
        phase2alg=blowfish448-sha1

This hasn’t helped. The logs do not indicate any error. When I used des, the logs indicated it’s a weak cipher and cannot be used. In the case of Blowfish I see no such thing and neither an error in the logs.

Regards,
Mihir

From: Daniel Cave [mailto:dan.cave at icloud.com]
Sent: Wednesday, July 22, 2015 9:54 AM
To: Mihir Shirali -X (mshirali - INFOSYS LIMITED at Cisco)
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] Question on ciphers

Mihir..

Firstly, this is really easy to answer...

the grep you did is correct, however you may be using the wrong cipher -IF you comment out the AH/ESP parameters,  openswan  will *try* and automatically negotiate the connection when a proposal is made.

You can (and probably should) specify the ESP and AH ciphers separately.

ike=aes-128
phase2alg=blowfish
phase2=esp

(on my openswan to cisco ASA  I've done this


###############################

# Settings

###############################

    ike=3des-md5

    phase2alg=3des-md5

    phase2=esp

###############################

    ikelifetime=86400s

#    keyexchange=ike

    keylife=28800s

   ## was## keylife=86400s

Obviously both sides have to match.

I would start by looking at the logs and output from ipsec auto status to see if they both negotiate both phases,

hope that helps

Dan.

On Jul 22, 2015, at 05:22 PM, "Mihir Shirali -X (mshirali - INFOSYS LIMITED at Cisco)" <mshirali at cisco.com<mailto:mshirali at cisco.com>> wrote:
Hi All,

I’m using RHEL 6.6 and openswan-2.6.32-37.el6.x86_64
I had a couple of questions related to ciphers:
1 - When I run the ipsec auto –status, I do see Blowfish listed as one of the available ciphers:
ipsec auto --status | grep BLOW
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448

However, when I plug this into my config file, the tunnel does not come up. Could you please let me know if Blowfish is something which is unsupported
<snip>
        esp=blowfish448-sha1
</snip>

2 – I believe esp cipher can be specified as follows
                aes-sha1 OR
                aes128-sha1
How does OpenSwan treat these 2 internally. Are they treated as 2 separate ciphers or the same one?

Regards,
Mihir
_______________________________________________
Users at lists.openswan.org<mailto:Users at lists.openswan.org>
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150722/0181a67b/attachment.html>

More information about the Users mailing list