openswan ipsec.conf ike加密方式twofish/blowfish配置實現
新裝的Openswan U2.4.6 下 ipsec.conf
ike 加密方式為blowfish或twofish vpn不能成功協商起來,為des、3des都可以成功協商
想知道有什麼辦法可以解決ike的加密方式為blowfish或twofish,然後成功協商,謝謝!
《解決方案》
Openswan U2.4.6 和誰建立呢?
是不是對端不支持
《解決方案》
回復 #2 smartlinux 的帖子
是兩一樣配置的debian系統,ipsec.conf配置如下:
conn x509
left=10.10.0.1
leftsubnet=10.9.0.1/24
leftnexthop=10.10.0.2
leftcert=left.pem
right=10.10.0.2
rightsubnet=10.8.0.1/24
rightnexthop=10.10.0.1
rightcert=right.pem
pfs=yes
ike=Blowfish-md5-modp1024
esp=aes-sha1
auto=add
gw-left:/etc# ipsec whack --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.10.0.1
000 interface eth0/eth0 10.10.0.1
000 interface eth1/eth1 10.9.0.1
000 interface eth1/eth1 10.9.0.1
000 interface eth2/eth2 10.4.33.1
000 interface eth2/eth2 10.4.33.1
000 %myid = (none)
000 debug parsing+control
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "x509": 10.9.0.0/24===10.10.0.1...10.10.0.2===10.8.0.0/24; unrouted; eroute owner: #0
000 "x509": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "x509": CAs: 'C=CN, ST=FJ, O=SINET, OU=RD, CN=LL, E=sinet@mail.si.net.cn'...'C=CN, ST=FJ, O=SINET, OU=RD, CN=LL, E=sinet@mail.si.net.cn'
000 "x509": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "x509": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 24,24; interface: eth0;
000 "x509": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "x509": IKE algorithms wanted: 3_000-1-2, flags=strict
000 "x509": IKE algorithms found: 3_000-1-2, flags=strict
000 "x509": ESP algorithms wanted: 12_000-2, flags=strict
000 "x509": ESP algorithms loaded: 12_000-2, flags=strict
ike的加密演算法為:aes、3des時vpn能協商起來,現在我想ike的加密演算法用blowfish或twofish實現。
