Description of problem: the config parser ignored characters '-96' of ike=3des-sha1-96-modp1024, It should be a bug. Version-Release number of selected component (if applicable): OS: rhel5.4 openswan: openswan-2.6.21-5.el5 How reproducible: Steps to Reproduce: 1. config ipsec.conf at the endpoints of ipsec connection as following: config setup crlcheckinterval="180" strictcrlpolicy=no protostack=netkey interfaces=%defaultroute plutostderrlog=/var/log/pluto.log conn %default ikelifetime="60m" keylife="20m" rekeymargin="3m" keyingtries=1 phase2=esp ike=3des-sha1-96-modp1024 phase2alg=3des-sha1-96 authby=secret ikev2=yes rekey=yes keyexchange=ike conn host-host connaddrfamily=ipv4 left=192.168.122.157 right=192.168.122.185 type=tunnel compress=no auto=add 2. start ipsec service on each endpoint of ipsec connection # service ipsec restart 3. setup the ipsec connection # ipsec auto --up host-host Actual results: [root@localhost etc]# ipsec auto --up host-host 133 "host-host" #1: STATE_PARENT_I1: initiate 133 "host-host" #1: STATE_PARENT_I1: sent v2I1, expected v2R1 134 "host-host" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1 prf=oakley_sha group=modp1024} 004 "host-host" #2: STATE_PARENT_I3: PARENT SA established tunnel mode {ESP=>0xbeea1ac3 <0xe000cbae xfrm=3DES_192-HMAC_SHA1 NATOA=none NATD=none DPD=none} Expected results: the output text when setup the ipsec connection should contains characters '-96' Additional info: have get source code of openswan-2.6.23 on www.openswan.org, then complied and installed it, could get the same "actual results"
if config the ipsec.conf on endpoint A like this: config setup crlcheckinterval="180" strictcrlpolicy=no protostack=netkey interfaces=%defaultroute plutostderrlog=/var/log/pluto.log conn %default ikelifetime="60m" keylife="20m" rekeymargin="3m" keyingtries=1 phase2=esp ike=3des-sha1-96-modp1024 phase2alg=3des-sha1-96 authby=secret ikev2=yes rekey=yes keyexchange=ike conn host-host connaddrfamily=ipv4 left=192.168.122.157 right=192.168.122.185 type=tunnel compress=no auto=add BUT on B like this: config setup crlcheckinterval="180" strictcrlpolicy=no protostack=netkey interfaces=%defaultroute plutostderrlog=/var/log/pluto.log conn %default ikelifetime="60m" keylife="20m" rekeymargin="3m" keyingtries=1 phase2=esp ike=3des-sha1-modp1024 phase2alg=3des-sha1 authby=secret ikev2=yes rekey=yes keyexchange=ike conn host-host connaddrfamily=ipv4 left=192.168.122.157 right=192.168.122.185 type=tunnel compress=no auto=add the connection "host-host" could be setup too.
have reported a same bug on bugs.openswan.org, the link: https://gsoc.xelerance.com/issues/1062
It is already fixed in 5.4/5.5 with openswan-2.6.21 and was fixed with 524191.