In message <1goxnxb.vwrix01xon1cjM%manu@netbsd.org>, Emmanuel Dreyfus writes:
>Thor Lancelot Simon <tls@rek.tjls.com> wrote:
>
>> It looks to me like with the ipsec-tools racoon, we lose AES support,
>> because there's a disagreement with the kernel about which algorithm
>> to use.  That, at least, is very important to fix.
>
>I'm looking at AES. While I was here, I tried all the documented
>ciphers. For phase 2, the following cause failures, both in KAME racoon
>and ipsec-tools racoon:
>encryption: IDEA, 3IDEA, RC5, RC4, TWOFISH
>authentication: DES, 3DES, DES_IV32, DES_IV64
>
>Should the documentation be updated and those ciphers removed?
>

IDEA, 3IDEA, and RC5 are covered by patents, at least in the US.  RC4 
is hard to do in IPsec, because it's a stream cipher and would have 
trouble with out-of-order blocks unless it takes a time or space 
performance hit.  

In other words, I won't miss them at all....

		--Steve Bellovin, http://www.research.att.com/~smb