Hi, On Fri, Dec 23, 2005 at 11:58:14AM -0500, Will H. Backman wrote: > > Reducing the enckey to 160 bits worked. Interesting to note that if a > key is too short, you get a nice warning that the key is too short and > must be 160 bits long. If a key is too long, you don't get a warning, > just the less specific errors about writev failed.
ja, ipsecctl just checks the minimum and maximum key sizes. For alogrithms with non-fixed keysizes (aes, aesctr, blf) it depends on the algorithm what actual keysizes are acceptable. Eg aes you can have 128, 192 and 256 bits. For aesctr it's 160 (128+32), 224 (192+32) and 288 (256+32). I'll add a section to ipsec.conf(5) about correct values soon and add proper checks to ipsecctl. HJ.