# IPSec + AES

## ipsecnoob

I try to use AES with IPSec, but get lot of errors. If I use 3DES it works ok.

racoon -F -f /etc/racoon/racoon.conf

```

Foreground mode.

2005-03-30 18:03:20: INFO: @(#)ipsec-tools 0.5 (http://ipsec-tools.sourceforge.net)

2005-03-30 18:03:20: INFO: @(#)This product linked OpenSSL 0.9.7e 25 Oct 2004 (http://www.openssl.org/)

2005-03-30 18:03:20: INFO: XX.XXX.XXX.XXX[500] used as isakmp port (fd=7)

2005-03-30 18:03:20: INFO: XX.XXX.XXX.XXX[500] used for NAT-T

2005-03-30 18:03:20: INFO: 192.168.1.254[500] used as isakmp port (fd=8)

2005-03-30 18:03:20: INFO: 192.168.1.254[500] used for NAT-T

2005-03-30 18:03:20: INFO: 127.0.0.1[500] used as isakmp port (fd=9)

2005-03-30 18:03:20: INFO: 127.0.0.1[500] used for NAT-T

2005-03-30 18:03:23: INFO: respond new phase 1 negotiation: XX.XXX.XXX.XXX[500]<=>YY.YYY.YYY.YYY[500

]

2005-03-30 18:03:23: INFO: begin Identity Protection mode.

2005-03-30 18:03:23: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#0:trns#0) = 7:3DES-CBC

2005-03-30 18:03:23: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#0:trns#1) = 7:3DES-CBC

2005-03-30 18:03:23: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#0:trns#1) = SHA:MD5

2005-03-30 18:03:23: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#0:trns#2) = 7:DES-CBC

2005-03-30 18:03:23: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#0:trns#3) = 7:DES-CBC

2005-03-30 18:03:23: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#0:trns#3) = SHA:MD5

2005-03-30 18:03:23: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#0:trns#4) = 7:3DES-CBC

2005-03-30 18:03:23: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#0:trns#4) = 1024-bit MODP

 group:768-bit MODP group

2005-03-30 18:03:23: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#0:trns#5) = 7:3DES-CBC

2005-03-30 18:03:23: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#0:trns#5) = SHA:MD5

2005-03-30 18:03:23: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#0:trns#5) = 1024-bit MODP

 group:768-bit MODP group

2005-03-30 18:03:23: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#0:trns#6) = 7:DES-CBC

2005-03-30 18:03:23: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#0:trns#6) = 1024-bit MODP

 group:768-bit MODP group

2005-03-30 18:03:23: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#0:trns#7) = 7:DES-CBC

2005-03-30 18:03:23: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#0:trns#7) = SHA:MD5

2005-03-30 18:03:23: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#0:trns#7) = 1024-bit MODP

 group:768-bit MODP group

2005-03-30 18:03:23: ERROR: no suitable proposal found.

2005-03-30 18:03:23: ERROR: failed to get valid proposal.

2005-03-30 18:03:23: ERROR: failed to process packet.

2005-03-30 18:03:24: INFO: caught signal 2

2005-03-30 18:03:25: INFO: racoon shutdown

```

Here is my racoon.conf

```

path include "/etc/racoon";

path pre_shared_key "/etc/racoon/psk.txt";

remote YY.YYY.YYY.YYY {

        exchange_mode main;

        proposal {

                encryption_algorithm aes256;

                hash_algorithm sha1;

                authentication_method pre_shared_key;

                dh_group modp1024;

        }

}

sainfo address 192.168.1.0/24 any address 192.168.0.0/24 any {

        pfs_group modp1024;

        encryption_algorithm aes256;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate;

}

```

Here is kernel (2.6.10) cryptographic options

```

#

# Cryptographic options

#

CONFIG_CRYPTO=y

CONFIG_CRYPTO_HMAC=y

CONFIG_CRYPTO_NULL=y

CONFIG_CRYPTO_MD4=y

CONFIG_CRYPTO_MD5=y

CONFIG_CRYPTO_SHA1=y

CONFIG_CRYPTO_SHA256=y

CONFIG_CRYPTO_SHA512=y

CONFIG_CRYPTO_WP512=y

CONFIG_CRYPTO_DES=y

CONFIG_CRYPTO_BLOWFISH=y

CONFIG_CRYPTO_TWOFISH=y

CONFIG_CRYPTO_SERPENT=y

CONFIG_CRYPTO_AES_586=y

CONFIG_CRYPTO_CAST5=y

CONFIG_CRYPTO_CAST6=y

CONFIG_CRYPTO_TEA=y

CONFIG_CRYPTO_ARC4=y

CONFIG_CRYPTO_KHAZAD=y

CONFIG_CRYPTO_ANUBIS=y

CONFIG_CRYPTO_DEFLATE=y

CONFIG_CRYPTO_MICHAEL_MIC=y

CONFIG_CRYPTO_CRC32C=y

CONFIG_CRYPTO_TEST=y

```

Any ideas?

----------

