Hi Hilly, Some things.
GMAC is a MAC, not a cipher. AES-256 in the description means AES-CBC-256. The keyword for that is just "aes256". Whether SHA256-128 or SHA256-96 depends on the other peer. the -96 version is the non-standardized one. Ask staff operating the other peer for details what they use. You're more constrained by what the kernel you're using can do because it's processing the traffic (using the negotiated esp proposal). The proposal your client asked for is ... ike=aes256-sha256-ecp256! esp=aes256-sha256! You can of course ask them to use AES-GCM and AES-XCBC. Kind regards Noel On 07.10.22 10:04, Hilly B wrote:
Hi Developers, We are running on Centos 7 and we have installed strongswan-5.7.2-1.el7.x86_64 already installed and the latest version. Our client will allow us to connect to them using: Phase 1: Authentication Method !! Pre-Shared Secret, to be exchanged over the phone (SMS) only Encryption Schema IKEv2 Diffie-Hellman Group- IKE DH Group-19 Encryption Algorithm AES-256 Hashing Algorithm SHA-256 PRF SHA-256 Renegotiate IKE SA every 86400 seconds Phase 2: IPSec IPSec Encryption Algorithm IPSec AES-256 Hashing Algorithm IPSec SHA-256 Renegotiate IPSec SA every 28800 seconds PFS No PFS Mode Main Mode I've been through the documentation from https://wiki.strongswan.org/projects/1/wiki/IKEv2CipherSuites <https://wiki.strongswan.org/projects/1/wiki/IKEv2CipherSuites> and since we don't have Strong Swan 5.8.x we are limited in what we can use; _Option 1:_ We have asked the client if we can use these alternate protocols that are supported with Strongswan 5.7. For Phase 1: Instead of DH Group-19 use DH Group 18 Instead of AES-256 use aes256gmac Instead of SHA-256 use sha256_96 For PRF instead of SHA-256 use AES XCBC For Phase 2: IPsec Instead of AES-256 use aes256gmac Instead of SHA-256 use sha256_96 Question 1: However it's not clear in the documentation https://wiki.strongswan.org/projects/1/wiki/IKEv2CipherSuites <https://wiki.strongswan.org/projects/1/wiki/IKEv2CipherSuites>. For IPsec and StrongSwan 5.7 can you use aes256gmac instead of AES-256 and sha256_96 instead of SHA-256? Question 2: If this is possible with StrongSwan 5.7 how do you implement aes256gmac IPSec Encryption Algorithm and sha256_96 IPSec Hashing Algorithm? Or are there alternate options supported by StrongSwan 5.7? _Option 2:_ Build Strongswan 5.8.x on Centos 7 However from this post it seems its may not work https://wiki.strongswan.org/issues/3229 <https://wiki.strongswan.org/issues/3229> Question3: Has anyone successfully built Strongswan 5.8.x or later on Centos 7 and if so would they be so kind as to share their instructions on how to do it? Thanks for any assistance.
-- Noel Kuntze IT security consultant GPG Key ID: 0x0739AD6C Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
