List Info

Thread: ike and esp proposals
ike and esp proposals
user name
 2006-01-05 15:43:00 
On Thu, 5 Jan 2006, Matthias Haas wrote:

> but I have to insist, that the behavior you described
is not reflected in the
> current snapshot 2.4.5rc1. The initiator forces to use
3des, but the
> responder only accepts aes. But still they aggree about
using the proposal
> from the inititaot to use 3des.

> conn
server_0-213.179.141.11_gw-gw_defaultroute-213.179.141.11
>         left=%defaultroute
>         right=213.179.141.11
>         type=tunnel
>         authby=rsasig
>         leftcert=/etc/ipsec.d/server.crt
>         leftsendcert=yes
>         auto=start
>         auth=esp
>         pfs=yes
>         ike=3des

Ok, you are forcing ike to use 3des. You are not
setting/forcing esp=3des....

>         keylife=9h
>         keyingtries=0
>         ikelifetime=6h
>         disablearrivalcheck=no
>         rightid="/C=DE/CN=VPN-242"
>         rightrsasigkey=%cert

>
"server_0-213.179.141.11_gw-gw_defaultroute-213.179.141
.11" #1:
> STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG
> cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}

ike is using 3des as expected.

> Jan  5 09:32:25 vpn233 pluto[19901]:
>
"server_0-213.179.141.11_gw-gw_defaultroute-213.179.141
.11" #2:
> STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x72baecff <0x87a24255
> xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}

esp is using aes (as expected, it is the default and it is
not forced to 3des)

> Settings and output from responder:

>         ike=aes

Ahh, this shows it should have failed to agree on an ike
proposal....

>
"server_0-adsl_gw-gw_213.179.141.11-0.0.0.0"[2]
84.155.253.155 #3:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_RSA_SIG
> cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}

I guess this should not have been allowed.

>
"server_0-adsl_gw-gw_213.179.141.11-0.0.0.0"[2]
84.155.253.155 #4:
> STATE_QUICK_R2: IPsec SA established
{ESP=>0x87a24255 <0x72baecff
> xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
>
> As you can see in phase 1 as they should not aggree
about the proposals the
> responder accepts 3des as a valid proposal.

Indeed. I've filed a bug report:

http://bugs
.xelerance.com/view.php?id=558

Paul
_______________________________________________
Dev mailing list
Devopenswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )