Re: [Users] Problem with HMAC... "enc_alg not found" (barf incl.)

From: JuanJo Ciarlante (jjo-ipsec_at_mendoza.gov.ar)
Date: Thu Aug 15 2002 - 15:55:15 CEST

• Next message: help: "[Users] Happy good Assumption"
• Previous message: Greg Scott: "RE: [Users] freeswan enabled kernel hangs on boot (lost interrupt on /dev/hda)"
• Maybe in reply to: --sc./ire: "[Users] Problem with HMAC... "enc_alg not found" (barf incl.)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Wed, Aug 14, 2002 at 05:38:22PM -0700, --sc./ire wrote:
> I have been running the ipsec .deb kernel patch that comes with debian. I
> compiled it into the 2.4.19-pre10 kernel on several systems. It seems to work
> fine FreeSwan <--> FreeSwan.  I have also ran
> older versions of FS(1.91 and 1.94) on some SuSE distros to connect to some
> netopia routers with great success as well.
>
> Recently I tried to run the 1.96/2.4.19-pre10 to connect to one of the
> netopia routers and ran into this problem.
>
> The netopia routers only will only have 3 optons for ESP authenticaion:
> 1. none
> 2. hmac-md5-96
> 3. hmac-sha1-96
>
>
> The same system that can connect to another freeswan setup with
> "esp=3des-md5-96" cannot run the hmac-md5-96 algorithm.
>
> I keep getting this error:
>         "esp string error: enc_alg not found, enc_alg="hmac", auth_alg="md5""
>
> I do have HMAC_MD5 compiled into the kernel.  In fact all of the freeswan
> components are either a module or compiled in.
>
> any help would be greatly appreciated.

Hi...
The esp string parser expects the following syntax:
         esp=<enc_alg>-<auth_alg>
   where
             enc_alg: encryption algorithm, eg. "3des"
             auth_alg: auth. algorithm, eg. "md5" or "md5-96" which
                        are the same, it doesn't expect to see the
                        hmac-... string

So, the parser is trying resolve the "hmac" string into one known
cipher and fails.

The valid esp string for using ESP_3DES and HMAC_MD5 is:
ESP is
              esp=3des-md5
              
... or if you prefer to try sha1 first (is the default if you don't
specify esp string)
              esp=3des-sha1,3des-md5

BTW please note that this esp cipher selection capability in pluto
comes from freeswan-algo patch which _is_ included in Debian's freeswan pkg;
ie. it will be ignored by stock pluto.

Regards

-- 
--Juanjo       freeswan algo: AES (+others), SHA2, MODP2048-4096 
               selectable algorithms support for Phase1 and 2.
	       http://www.irrigacion.gov.ar/juanjo/ipsec/
#  Juan Jose Ciarlante (JuanJo PGP) jjo ;at; mendoza.gov.ar              #
#  Key fingerprint = 76 60 A5 76 FD D2 53 E3  50 C7 90 20 22 8C F1 2D    #
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: help: "[Users] Happy good Assumption"
• Previous message: Greg Scott: "RE: [Users] freeswan enabled kernel hangs on boot (lost interrupt on /dev/hda)"
• Maybe in reply to: --sc./ire: "[Users] Problem with HMAC... "enc_alg not found" (barf incl.)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Aug 15 2002 - 19:19:38 CEST