Am 19.09.2014 16:36, schrieb Paul:
We could change it so no key length means 128, the only mandatory to implement 
key size...

I noticed that openswan did add 128 for esp but not for ike. Can you tell me 
which of the two or both are affected with this?

Sent from my iPhone

On Sep 19, 2014, at 4:12, Wolfgang Nothdurft <[email protected]> wrote:

Is the behaviour after commit 68c25611eed93edd459e38deadf01916ab983115 
(https://lists.libreswan.org/pipermail/swan-commit/2014-May/001275.html) 
intended?

This breaks connectivity with old implementations like openswan 2.4, which 
doesn't have configured a specific phase2alg.

We also have a customer with old vigor routers that shows this problem and it 
seems that you can do nothing on the vigor site to change this behavior.

Both sends AES_000-HMAC_SHA1 and can't connect because of the required 
keylength attribute

Log:
IPsec encryption transform did not specify required KEY_LENGTH attribute
sending encrypted notification BAD_PROPOSAL_SYNTAX to 10.0.12.2:500

Wolfgang
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan


The log on the libreswan side shows

cipher=oakley_3des_cbc_192 prf=md5

without ike parameter configured on the openswan side, and

cipher=aes_128 prf=sha

with ike=aes-sha configured.

So ike seems fine and only esp is affected.

Initiator is Linux Openswan U2.4.15/K2.4.14 (klips)

Wolfgang
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to