(usagi-users 02412) IPsec 2.5.70-bk9 and FreeS/WAN 1.99 with algopatches 0.8.1rc2 (in)compatible encryption methods

(usagi-users 02412) IPsec 2.5.70-bk9 and FreeS/WAN 1.99 with algopatches 0.8.1rc2 (in)compatible encryption methods

[Dr. Peter Bieringer]

Hi again,

because I got no success, I've tried different encryption methods than 
3DES. And *suddenly* it began to work.

One side  : 2.5.70-bk9
Other side: FreeS/WAN 1.99 with algopatches 0.8.1rc2

Result:

AES
---
AES-128: working

AES-192: not working
AES-256: not working

FreeS/WAN:
112 "freeswan-racoon-tunnel" #14: STATE_QUICK_I1: initiate
003 "freeswan-racoon-tunnel" #14: ESP transform ESP_AES passed key_len=32 > 
16
032 "freeswan-racoon-tunnel" #14: STATE_QUICK_I1: internal error


3DES
----
Not working, no message


Blowfish
--------
blowfish-128: working

Other key lengths: not working NO_PROPOSAL_CHOSEN


Other algorithms: not tested at the moment


I'm very wondering why 3DES is incompatible in IPsec-SA modus, while 
working in IKE.

Can someone confirm and/or extend this compatibility test?

TIA,
	Peter
-- 
Dr. Peter Bieringer                     http://www.bieringer.de/pb/
GPG/PGP Key 0x958F422D               mailto: pb at bieringer dot de
Deep Space 6 Co-Founder and Core Member  http://www.deepspace6.net/

Re: IPsec 2.5.70-bk9 and FreeS/WAN 1.99 with algopatches 0.8.1rc2 (in)compatible encryption methods

[James Morris]

On Thu, 5 Jun 2003, Dr. Peter Bieringer wrote:

> I'm very wondering why 3DES is incompatible in IPsec-SA modus, while 
> working in IKE.

What happens if you use manual configurations (e.g. setkey with the native 
ipsec) ?

With this, we can first establish whether on the wire stuff is 
fundamentally working, before looking at negotiated configurations.


- James
-- 
James Morris
<jmorris@intercode.com.au>

Re: (usagi-users 02412) IPsec 2.5.70-bk9 and FreeS/WAN 1.99 with algopatches 0.8.1rc2

[Dr. Peter Bieringer]

Ohoh, sorry for confusions, my racoon here was a little bit buggy...

...be warned, not using RHL's ipsec-tools from rawhide...looks like the 
racoon isn't compiled in a proper environment :-( it doesn't support DES 
and causes trouble on 3DES *grmml*).

The reported 3DES problem was solved now by using a fresh compiled one.

But the AES one still occurs.

> FreeS/WAN:
> 112 "freeswan-racoon-tunnel" #14: STATE_QUICK_I1: initiate
> 003 "freeswan-racoon-tunnel" #14: ESP transform ESP_AES passed key_len=32
> > 16 032 "freeswan-racoon-tunnel" #14: STATE_QUICK_I1: internal error

Or on 192 bits:

112 "freeswan-racoon-tunnel" #15: STATE_QUICK_I1: initiate
003 "freeswan-racoon-tunnel" #15: ESP transform ESP_AES passed key_len=24 > 
16
032 "freeswan-racoon-tunnel" #15: STATE_QUICK_I1: internal error

Strange, looks like racoon reports always AES key length 16*8, but in 
raccoon.conf was "aes 192" or "aes 256" specified.


	Peter, partially happy now
-- 
Dr. Peter Bieringer                     http://www.bieringer.de/pb/
GPG/PGP Key 0x958F422D               mailto: pb at bieringer dot de
Deep Space 6 Co-Founder and Core Member  http://www.deepspace6.net/

(usagi-users 02415) IPsec 2.5.70-bk9 and Check Point VPN-1 NG FP4 RC

[Dr. Peter Bieringer]

Hi,

Here are some results (tunnel mode only tested, auth=SHA1):

DES    : ok
3DES   : ok
AES-128: ok
AES-192: not supported by CP VPN-1
AES-256: ok
CAST*  : not supported by used Linux kernel

BTW: be warned, not using RHL's ipsec-tools from rawhide...looks like the 
racoon isn't compiled in a proper environment :-( it doesn't support DES 
and causes trouble on 3DES *grmml*).

	Peter
-- 
Dr. Peter Bieringer                     http://www.bieringer.de/pb/
GPG/PGP Key 0x958F422D               mailto: pb at bieringer dot de
Deep Space 6 Co-Founder and Core Member  http://www.deepspace6.net/

Re: (usagi-users 02412) IPsec 2.5.70-bk9 and FreeS/WAN 1.99 with algopatches 0.8.1rc2

[James Morris]

On Thu, 5 Jun 2003, Dr. Peter Bieringer wrote:

> Ohoh, sorry for confusions, my racoon here was a little bit buggy...
> 
> ...be warned, not using RHL's ipsec-tools from rawhide...looks like the 
> racoon isn't compiled in a proper environment :-( it doesn't support DES 
> and causes trouble on 3DES *grmml*).

Actually, the ABI changed recently, due to renumbering the algorithim ids 
in pfkeyv2.h.

(This will affect setkey as well).


- James
-- 
James Morris
<jmorris@intercode.com.au>

Re: IPsec 2.5.70-bk9 and FreeS/WAN 1.99 with algopatches 0.8.1rc2 (in)compatible encryption methods

[David S. Miller]

   From: "Dr. Peter Bieringer" <pb@bieringer.de>
   Date: Thu, 05 Jun 2003 15:07:36 +0200

   because I got no success, I've tried different encryption methods than 
   3DES. And *suddenly* it began to work.
   
Sounds like an out-of-date include/linux/pfkeyv2.h file
used during tool building.

Re: IPsec 2.5.70-bk9 and FreeS/WAN 1.99 with algopatches 0.8.1rc2 (in)compatible encryption methods

[Peter Bieringer]

--On Thursday, June 05, 2003 09:59:07 PM -0700 "David S. Miller"
<davem@redhat.com> wrote:

>    From: "Dr. Peter Bieringer" <pb@bieringer.de>
>    Date: Thu, 05 Jun 2003 15:07:36 +0200
> 
>    because I got no success, I've tried different encryption methods than 
>    3DES. And *suddenly* it began to work.
>    
> Sounds like an out-of-date include/linux/pfkeyv2.h file
> used during tool building.

Yes, it looks like.

BTW: is there something like a "version information" which is used in that
way that user space tools can detect and report such changes at runtime?
Would be perhaps helpful if racoon reports something like "incompatible" in
this case. Very much better than such strange problems...

        Peter
-- 
Dr. Peter Bieringer                     http://www.bieringer.de/pb/
GPG/PGP Key 0x958F422D               mailto: pb at bieringer dot de 
Deep Space 6 Co-Founder and Core Member  http://www.deepspace6.net/