汪洋旦 | 4 May 09:47 2011
Picon

[Openswan Users] Do Openswan support aes_ ctr as esp's encrypt algs ? support aes_x cbc as esp's authen alg?

Hi all,

I am trying each alg listed by "ipsec auto status" as phase2alg during my testing.
I build up a test bed with Openswan----Openswan(2.6.33). 

And I met the problem that seems openswan don't support the following algs, although listed by "ipsec auto status".

Anybody know how to set the "aes_ctr" as esp's encrypt algs ? and how to set "aes_xcbc" as esp's authen alg? Thank.

 
Following is the failed case and error log:
1. failed to use aes_ctr as esp's encryp alg.
    I set the alg -- "phase2alg=aes_ctr-128-sha1" in ipsec.conf. 
----------------- 
[root <at> openswan ~]# cat /etc/ipsec.conf 
config setup
 pluto=yes
 protostack=netkey
conn %default
  authby=secret
  auto=route
  ikev2=never
  ikelifetime=600s
  rekeymargin=30s
  salifetime=1000s
  rekey=yes
conn interop4
  left=20.3.2.27
  leftsubnet=20.2.7.0/24
  right=20.3.2.11
  rightsubnet=20.1.1.0/24
  ike=3des-sha1;modp1024
  pfs=yes
  phase2alg=aes_ctr-128-sha1
  type=tunnel
  aggrmode=no
------------------

  and I got the error log during negociate with Peer (our Product, which support  aes_ctr): 
  "ERROR: netlink response for Add SA <A
href="mailto:esp.8b100d8d <at> 20.3.2.11">esp.8b100d8d <at> 20.3.2.11</A> included errno 38: Function
not implemented"
--------------
[root <at> openswan ~]# cat /var/log/secure
...
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: initiating Main Mode
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: ignoring unknown Vendor ID payload [af7557ec8fa949e5c3850465a3eecc41]
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: STATE_MAIN_I2: sent MI2, expecting MR2
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: STATE_MAIN_I3: sent MI3, expecting MR3
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: Main mode peer ID is ID_IPV4_ADDR: '20.3.2.11'
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
May  3 16:59:56 openswan pluto[1621]: "interop4" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+SAREFTRACK {using isakmp#1 msgid:94c62be5
proposal=AES_CTR(13)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: ignoring informational payload, type
IPSEC_INITIAL_CONTACT msgid=00000000
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: received and ignored informational message
May  3 16:59:56 openswan pluto[1621]: "interop4" #2: ERROR: netlink response for Add SA
esp.8b100d8d <at> 20.3.2.11 included errno 38: Function not implemented
-------------- 

 2 failed to use aes_cbc as esp's AUTH alg.
    when I set "phase2alg=3des-aes_xcbc;modp2048" in ipsec.conf.   
    output the error log: "May  4 13:55:08 INTEL pluto[16607]: esp string error: hash_alg not found,
enc_alg="3des", auth_alg="aes_xcbc", modp="" ..."    
    when I set "phase2alg=3des-aes_cbc;modp2048" in ipsec.conf.
     output the error log: "ASSERTION FAILED at
/home/adam/tools/openswan-2.6.33/lib/libopenswan/alg_info.c:68: case 9 unexpected"

--Adam

Hi all,
 
I am trying each alg listed by "ipsec auto status" as phase2alg during my testing.
I build up a test bed with Openswan----Openswan(2.6.33). 

 

And I met the problem that seems openswan don't support the following algs, although listed by "ipsec auto status".

 

Anybody know how to set the "aes_ctr" as esp's encrypt algs ? and how to set "aes_xcbc" as esp's authen alg? Thank.

 

 

Following is the failed case and error log:

1. failed to use aes_ctr as esp's encryp alg.

    I set the alg -- "phase2alg=aes_ctr-128-sha1" in ipsec.conf.

-----------------
[root <at> openswan ~]# cat /etc/ipsec.conf
config setup
 pluto=yes
 protostack=netkey
conn %default
  authby=secret
  auto=route
  ikev2=never
  ikelifetime=600s
  rekeymargin=30s
  salifetime=1000s
  rekey=yes
conn interop4
  left=20.3.2.27
  leftsubnet=20.2.7.0/24
  right=20.3.2.11
  rightsubnet=20.1.1.0/24
  ike=3des-sha1;modp1024
  pfs=yes
  phase2alg=aes_ctr-128-sha1
  type=tunnel
  aggrmode=no
------------------


  and I got the error log during negociate with Peer (our Product, which support  aes_ctr):

  "ERROR: netlink response for Add SA esp.8b100d8d <at> 20.3.2.11 included errno 38: Function not implemented"

--------------

[root <at> openswan ~]# cat /var/log/secure

...

May  3 16:59:56 openswan pluto[1621]: "interop4" #1: initiating Main Mode
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: ignoring unknown Vendor ID payload [af7557ec8fa949e5c3850465a3eecc41]
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: STATE_MAIN_I2: sent MI2, expecting MR2
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: STATE_MAIN_I3: sent MI3, expecting MR3
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: Main mode peer ID is ID_IPV4_ADDR: '20.3.2.11'
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
May  3 16:59:56 openswan pluto[1621]: "interop4" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+SAREFTRACK {using isakmp#1 msgid:94c62be5 proposal=AES_CTR(13)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May  3 16:59:56 openswan pluto[1621]: "interop4" #1: received and ignored informational message
May  3 16:59:56 openswan pluto[1621]: "interop4" #2: ERROR: netlink response for Add SA esp.8b100d8d <at> 20.3.2.11 included errno 38: Function not implemented

-------------- 

 

 2 failed to use aes_cbc as esp's AUTH alg.

    when I set "phase2alg=3des-aes_xcbc;modp2048" in ipsec.conf.  

    output the error log: "May  4 13:55:08 INTEL pluto[16607]: esp string error: hash_alg not found, enc_alg="3des", auth_alg="aes_xcbc", modp="" ..."    

    when I set "phase2alg=3des-aes_cbc;modp2048" in ipsec.conf.

     output the error log: "ASSERTION FAILED at /home/adam/tools/openswan-2.6.33/lib/libopenswan/alg_info.c:68: case 9 unexpected"

 

 


--Adam









_______________________________________________
Users <at> openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Gmane