Am 19.09.2014 16:36, schrieb Paul:
We could change it so no key length means 128, the only mandatory to implement
key size...
I noticed that openswan did add 128 for esp but not for ike. Can you tell me
which of the two or both are affected with this?
Sent from my iPhone
On Sep 19, 2014, at 4:12, Wolfgang Nothdurft <[email protected]> wrote:
Is the behaviour after commit 68c25611eed93edd459e38deadf01916ab983115
(https://lists.libreswan.org/pipermail/swan-commit/2014-May/001275.html)
intended?
This breaks connectivity with old implementations like openswan 2.4, which
doesn't have configured a specific phase2alg.
We also have a customer with old vigor routers that shows this problem and it
seems that you can do nothing on the vigor site to change this behavior.
Both sends AES_000-HMAC_SHA1 and can't connect because of the required
keylength attribute
Log:
IPsec encryption transform did not specify required KEY_LENGTH attribute
sending encrypted notification BAD_PROPOSAL_SYNTAX to 10.0.12.2:500
Wolfgang
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
The log on the libreswan side shows
cipher=oakley_3des_cbc_192 prf=md5
without ike parameter configured on the openswan side, and
cipher=aes_128 prf=sha
with ike=aes-sha configured.
So ike seems fine and only esp is affected.
Initiator is Linux Openswan U2.4.15/K2.4.14 (klips)
Wolfgang
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan