[Swan] IPsec encryption transform did not specify required KEY_LENGTH attribute
Wolfgang Nothdurft
wolfgang at linogate.de
Mon Sep 22 15:45:59 EEST 2014
Am 19.09.2014 16:36, schrieb Paul:
> We could change it so no key length means 128, the only mandatory to implement key size...
>
> I noticed that openswan did add 128 for esp but not for ike. Can you tell me which of the two or both are affected with this?
>
> Sent from my iPhone
>
>> On Sep 19, 2014, at 4:12, Wolfgang Nothdurft <wolfgang at linogate.de> wrote:
>>
>> Is the behaviour after commit 68c25611eed93edd459e38deadf01916ab983115 (https://lists.libreswan.org/pipermail/swan-commit/2014-May/001275.html) intended?
>>
>> This breaks connectivity with old implementations like openswan 2.4, which doesn't have configured a specific phase2alg.
>>
>> We also have a customer with old vigor routers that shows this problem and it seems that you can do nothing on the vigor site to change this behavior.
>>
>> Both sends AES_000-HMAC_SHA1 and can't connect because of the required keylength attribute
>>
>> Log:
>> IPsec encryption transform did not specify required KEY_LENGTH attribute
>> sending encrypted notification BAD_PROPOSAL_SYNTAX to 10.0.12.2:500
>>
>> Wolfgang
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
>
The log on the libreswan side shows
cipher=oakley_3des_cbc_192 prf=md5
without ike parameter configured on the openswan side, and
cipher=aes_128 prf=sha
with ike=aes-sha configured.
So ike seems fine and only esp is affected.
Initiator is Linux Openswan U2.4.15/K2.4.14 (klips)
Wolfgang
More information about the Swan
mailing list