Steve Lanser | 28 Nov 21:08 2011

[Openswan Users] Configuration file parser does not support modp specifier for ike parameter

Greetings Paul et. al.,

I'm new to this forum.  I've recently begun testing Openswan 2.6.21 (on
CentOS, 2.6.18), and I've discovered what looks to be a longstanding bug in
the parser (or in the documentation), namely that it fails to support
";modpXXXX" syntax in the ike parameter, as stated in the ipsec.conf man
page:

       ike    IKE encryption/authentication algorithm to be used for the connection (phase 1 aka ISAKMP SA).
              The format is "cipher-hash;modpgroup, cipher-hash;modpgroup, ..."  Any left out option will be
              filled in with all allowed default options. Multiple proposals are seperated by a comma. If an
              ike= line is specified, no other received proposals will be accepted. Formerly there was a
              distinction (by using a "!"  symbol) between "strict mode" or not. That mode has been obsoleted.
              If an ike= option is specified, the mode is always strict, meaning no other received proposals
              will be accepted. Some examples are ike=3des-sha1,aes-sha1, ike=aes, ike=aes128-md5;modp2048,
              ike=3des-md5;modp1024,esp=aes-sha1;modp1536 or ike=modp1536. The options must be suitable as a
              value of ipsec_spi(8)'s --ike option. The default is to use IKE, and to allow all combinations
              of:

                              cipher:                 3des or aes
                              hash:                   sha1 or md5
                              pfsgroup (DHgroup):     modp1024 or modp1536

In short, the parser appears simply to reject the semicolon suffix syntax
component altogether, and issues, for example, an error like this:

pluto[31725]: esp string error: Non alphanum or valid separator found in auth string, just after
"3des-sha1" (old_state=ST_AA)

for the ipsec.conf configuration parameter:
(Continue reading)

Paul Wouters | 28 Nov 22:43 2011

Re: [Openswan Users] Configuration file parser does not support modp specifier for ike parameter

On Mon, 28 Nov 2011, Steve Lanser wrote:

> I'm new to this forum.  I've recently begun testing Openswan 2.6.21 (on
> CentOS, 2.6.18), and I've discovered what looks to be a longstanding bug in
> the parser (or in the documentation), namely that it fails to support
> ";modpXXXX" syntax in the ike parameter, as stated in the ipsec.conf man

> In short, the parser appears simply to reject the semicolon suffix syntax
> component altogether, and issues, for example, an error like this:
>
> pluto[31725]: esp string error: Non alphanum or valid separator found in auth string, just after
"3des-sha1" (old_state=ST_AA)
>
> for the ipsec.conf configuration parameter:
>
>    ike = 3des-sha1;modp1024

This has been fixed in openswan 2.6.24 released Jan 8 2010.

Paul
_______________________________________________
Users <at> openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Steve Lanser | 28 Nov 22:58 2011

Re: [Openswan Users] Configuration file parser does not support modp specifier for ike parameter

Thanks Paul for your prompt response!!

What do you consider to be the most stable release after 2.6.24?

Steve

On Mon, Nov 28, 2011 at 04:43:01PM -0500, Paul Wouters wrote:
> On Mon, 28 Nov 2011, Steve Lanser wrote:
> 
> >I'm new to this forum.  I've recently begun testing Openswan 2.6.21 (on
> >CentOS, 2.6.18), and I've discovered what looks to be a longstanding bug in
> >the parser (or in the documentation), namely that it fails to support
> >";modpXXXX" syntax in the ike parameter, as stated in the ipsec.conf man
> 
> >In short, the parser appears simply to reject the semicolon suffix syntax
> >component altogether, and issues, for example, an error like this:
> >
> >pluto[31725]: esp string error: Non alphanum or valid separator found in 
> >auth string, just after "3des-sha1" (old_state=ST_AA)
> >
> >for the ipsec.conf configuration parameter:
> >
> >   ike = 3des-sha1;modp1024
> 
> This has been fixed in openswan 2.6.24 released Jan 8 2010.
> 
> Paul
_______________________________________________
Users <at> openswan.org
http://lists.openswan.org/mailman/listinfo/users
(Continue reading)

Paul Wouters | 29 Nov 03:23 2011

Re: [Openswan Users] Configuration file parser does not support modp specifier for ike parameter

On Mon, 28 Nov 2011, Steve Lanser wrote:

> Thanks Paul for your prompt response!!
>
> What do you consider to be the most stable release after 2.6.24?

You're asking the release manager, so I will always say the latest release is
our best ever. 2.6.37 so far.

Paul

> Steve
>
> On Mon, Nov 28, 2011 at 04:43:01PM -0500, Paul Wouters wrote:
>> On Mon, 28 Nov 2011, Steve Lanser wrote:
>>
>>> I'm new to this forum.  I've recently begun testing Openswan 2.6.21 (on
>>> CentOS, 2.6.18), and I've discovered what looks to be a longstanding bug in
>>> the parser (or in the documentation), namely that it fails to support
>>> ";modpXXXX" syntax in the ike parameter, as stated in the ipsec.conf man
>>
>>> In short, the parser appears simply to reject the semicolon suffix syntax
>>> component altogether, and issues, for example, an error like this:
>>>
>>> pluto[31725]: esp string error: Non alphanum or valid separator found in
>>> auth string, just after "3des-sha1" (old_state=ST_AA)
>>>
>>> for the ipsec.conf configuration parameter:
>>>
>>>   ike = 3des-sha1;modp1024
(Continue reading)


Gmane