Re: [strongSwan-dev] Configuration problem for ikev2

Tue, 29 Jun 2010 02:58:35 -0700 

On 29.06.2010 11:12, [email protected] wrote:
> Hello,
> 
>  
> 
> We are engineers of the Orange Labs, and now we are doing some test for
> the ikev2 in the Strongswan environment, we aim to configure the ipsec like:
> 
>  
> 
> DH = 1536-bit MODP Group
> PRF = PRF_HMAC_SHA1
> ID = ID_KEY_ID
> AUTH = RSA Digital Signature
> ESP_ENCR = ENCR_AES_CBC or NULL
> ESP_AUTH = AUTH_HMAC_SHA1_96 or NULL
> 
>  
> 
> We now arrived to configure the ipsec.conf with these parameters like:
> 
> -- conn <>
>                 auth = esp
>                 authby = rsasig
>                 ike = modp1536
>                 keyexchange = ikev2
>                 esp = aes128|aes192|aes256|null (for encryption)
>                 esp = sha1|sha (for authentication )
>
the correct notation is

ike=aes128-aes192-aes256-sha1-modp1536!
esp=aes128-aes129-aes256-null-sha1!

- Defining sha1 in ike selects the PRF_HMAC_SHA1
- NULL ESP authentication is not supported whereas
  NULL ESP encryption is.
- An ID_KEY_ID is defined in HEX format as follows:
  left...@#d3ab780f2ced

  even if it is a human readable ASCII string.

> But we still have some problem following:
> 
> 1, for the ESP_ENCRE and the ESP_AUTH, how can we put the both values
> “aes128”(for ESP_ENCRE) and the “sha1”(for ESP_AUTH) to the single “esp”
> parameter in the ipsec.conf?
> 
> 2, we didn’t find the right parameters for the “PRF” and the “ID”, so do
> you have any idea that how we can configure these parameters? Or is
> there any document where we can find out some complete description of
> the configuration?
> 
>  
> 
> Thank you
> 
>  
> 
> Orange Labs
> 
> Equip MAPS/STT

Regards

Andreas

-- 
======================================================================
Andreas Steffen                         [email protected]
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev

Reply via email to