[Openswan Users] Question on ciphers

Daniel Cave dan.cave at me.com
Thu Jul 23 04:24:09 EDT 2015


Hi there.

I understand what you're saying and it was my understanding too.  I tried getting  one of our tunnels working with 3des-md5  on 'auto' on  our side and the Cisco at the other end wouldn't negotiate correctly hence why i had to specify the phase1/2.

Anyhow, can  I ask, why is it you need to use blowfish ?  Can you post your config and explain which devices you're trying to connect to - perhaps with a simple ansi diagram - like you get from the  " ipsec auto status " output 

Dan
On Jul 22, 2015, at 06:16 PM, "Mihir Shirali -X (mshirali - INFOSYS LIMITED at Cisco)" <mshirali at cisco.com> wrote:

Hi Dan,
 
My understanding is that it’s not really necessary to split the phase 2 algorithms as you’ve suggested. If you don’t phase 2 inherits the DH group setting of phase 1. In fact I have this working with 3des. AES128 and AES256. It’s just that I have an issue with blowfish cipher. I also went ahead and tried your suggestion i.e. replace esp with phase2 and phase2alg like this:
       phase2=esp
        phase2alg=blowfish448-sha1
 
This hasn’t helped. The logs do not indicate any error. When I used des, the logs indicated it’s a weak cipher and cannot be used. In the case of Blowfish I see no such thing and neither an error in the logs.
 
Regards,
Mihir
 
From: Daniel Cave [mailto:dan.cave at icloud.com] 
Sent: Wednesday, July 22, 2015 9:54 AM
To: Mihir Shirali -X (mshirali - INFOSYS LIMITED at Cisco)
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] Question on ciphers
 
Mihir.. 
 
Firstly, this is really easy to answer... 
 
the grep you did is correct, however you may be using the wrong cipher -IF you comment out the AH/ESP parameters,  openswan  will *try* and automatically negotiate the connection when a proposal is made.
 
You can (and probably should) specify the ESP and AH ciphers separately.
 
ike=aes-128
phase2alg=blowfish
phase2=esp
 
(on my openswan to cisco ASA  I've done this
 
###############################
# Settings
###############################
    ike=3des-md5
    phase2alg=3des-md5
    phase2=esp
###############################
    ikelifetime=86400s
#    keyexchange=ike
    keylife=28800s
   ## was## keylife=86400s
 
Obviously both sides have to match.
 
I would start by looking at the logs and output from ipsec auto status to see if they both negotiate both phases,
 
hope that helps
 
Dan.
 
On Jul 22, 2015, at 05:22 PM, "Mihir Shirali -X (mshirali - INFOSYS LIMITED at Cisco)" <mshirali at cisco.com> wrote:

Hi All,
 
I’m using RHEL 6.6 and openswan-2.6.32-37.el6.x86_64
I had a couple of questions related to ciphers:
1 - When I run the ipsec auto –status, I do see Blowfish listed as one of the available ciphers:
ipsec auto --status | grep BLOW
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
 
However, when I plug this into my config file, the tunnel does not come up. Could you please let me know if Blowfish is something which is unsupported
<snip>
        esp=blowfish448-sha1
</snip>
 
2 – I believe esp cipher can be specified as follows
                aes-sha1 OR
                aes128-sha1
How does OpenSwan treat these 2 internally. Are they treated as 2 separate ciphers or the same one?
 
Regards,
Mihir
_______________________________________________
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
_______________________________________________
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150723/984d1bfa/attachment-0001.html>


More information about the Users mailing list