[strongSwan] support for md5-des
Hi All, While running ikev1(strongswan 4.3.5) with proposal alagorithm as md5-des, I am getting following error: ike_alg: crypter DES_CBC not present. Any pointers as to how to overcome the above problem. Regds Anil ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] support for md5-des
Hi Anil, out of security reasons strongSwan does not support single DES. You could as well use NULL encryption (which is not supported either). Regards Andreas On 05/27/2010 09:00 AM, NAGARAJAN, ANIL (ANIL) wrote: Hi All, While running ikev1(strongswan 4.3.5) with proposal alagorithm as md5-des, I am getting following error: “ ike_alg: crypter DES_CBC not present.” Any pointers as to how to overcome the above problem. Regds Anil == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Doubt regarding Certificate updation in IKEv2 Stack
Hi, Some doubts regarding certificates updation in IKEv2 Stack. Consider the following scenario:- CACERT1(old with new) CACERT2 (new with new) are both from same CA. CERT1 : signed with CACERT1 CERT2: signed with CACERT2 PC1 PC2 1. certificates on pc1: 1. certificates on pc2: CACERT1 CACERT2 CACERT1 CACERT2 CERT2 (signed with cacert2)CERT1 (signed with cacert1) IKE and IPSEC SAPC1PC2creation is successfull. 2. certificates on pc1: 2. certificates on pc2: CACERT2CACERT1 CACERT2 CERT2 (signed with cacert2) CERT1 (signed with cacert1) IKE and IPSEC SAPC1-PC2creation is successfull. In the second step, when IKEv2 stack on PC1 is given only CACERT2 and CERT2 through ipsec.conf file by firing ipsec update command. Q. Now If I try to create another IKE SA between PC1 and PC2 will it be successfull as PC1 will not be able to decrypt PC2's certificate (CERT1) because of the non-availability of the CACERT1 on PC1? Thanks in advance. Regards, Vivek ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] StrongSwan versions
Hi folks I have been lurking on the *Swan lists for quite a while to get some ideas on the various versions. This has probably been answered some time back but I would like to have a canonical idea. StrongSwan supports kernel versions 2.4 and 2.6 StrongSwan supports ikev1 ikev2 according to the docs. Does it support both ikev1 and ikev2 on both 2.4 and 2.6 kernel versions? 4.4 appears to be geared towards 2.6 kernels only, is it safe to assume that 2.8 is the kernel 2.4 only branch Does StrongSwan suffer from the same problems as OpenSwan in the 2.6 branch? I am specifically interested in some compression issues mentioned in http://www.openswan.org/docs/local/README.Kernel26 Thanks Erich smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] StrongSwan versions
Hi Martin Thanks for the quick reply. at 27.05.2010 12:03, Martin Willi wrote: Hi Erich, Does it support both ikev1 and ikev2 on both 2.4 and 2.6 kernel versions? The 2.8 branch is basically IKEv1 only, where 4.x supports IKEv2, too. OK, so if one wants to be able to speak IKEv2 4.x is a must. Is a mixed environment feasible? The IKEv1 daemon pluto has kernel interfaces to both, KLIPS and Netkey (via XFRM), but I'm not sure if pluto in 4.x still works properly on KLIPS. Our IKEv2 daemon charon was initially developed for the Netkey stack via XFRM, but it gained experimental (and not fully complete) support for KLIPS and a more generic PF_KEY interface, usable on Linux and on BSD. The 2.6 kernel has built-in IPsec functionality, the Netkey stack. There are patches for KLIPS on 2.6. The vanilla 2.4 kernel does not have any IPsec functionality. There are patches for the KLIPS stack, openswan has its focus on KLIPS. But there is also a backport of the Netkey stack to the 2.4 kernel, Debian used this patchset in its 2.4 kernel series. Basically, from a user's viewpoint, the most visible interface is the configuration and the monitoring interface. I reckon the interface to pluto are it's configuration files, which would then be portable, but some of the quite handy ipsec subcommands might not work anymore, e.g. ipsec eroute. For charon, not having played with it yet I have no clue. If you are running IKEv2 tunnels, I'd recommend a Netkey IPsec stack. We test on 2.6 kernels only, but a Netkey patched 2.4 kernel should work, too. Does StrongSwan suffer from the same problems as OpenSwan in the 2.6 branch? I am specifically interested in some compression issues We fixed a IPComp bug for IKEv2 in 4.3.6, but it should work fine now. We successfully tested it with other (commercial) vendors. As the daemons configure IPComp the same way, I think there is no difference in IPComp between IKEv1/IKEv2. I don't know if the compression is compatible to the KLIPS stack, though. Outch A am considering using strongswan instead of openswan for an embedded project I am involved in for a number of years (leaf.sourceforge.net). I want to avoid the gotchas and provide as much portability and interoperability as possible. I am running roughly 100 tunnels on a legacy system which I would like to update to a recent software level, but this requires a high level of interoperability. Erich smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] error: no default route - cannot cope with %defaultroute!!!
I am trying to integrate strongswan into another open source UTM called untangle. http://www.untangle.com Untangle runs on debian lenny, so I was able to aptitude install strongswan and it installed along with ipsec-tools. The install did not prompt me with the blue questions page, but rather skipped all of that and made the certs on its own (apparently). I then get the error: no default route - cannot cope with %defaultroute!!! This makes sense, since ip route shows the following: 172.16.0.0/24 dev eth1 proto kernel scope link src 172.16.0.1 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.175 172.16.1.0/24 dev eth2 proto kernel scope link src 172.16.1.1 192.0.2.0/24 dev dummy0 proto kernel scope link src 192.0.2.42 192.0.2.0/24 dev utun proto kernel scope link src 192.0.2.43 eth0 is the default gateway. dummy0 and utun used by untangle for updates and the integrated openvpn ssl vpn server its already running. I had read alot on the error, and my config file is as follows: config setup # plutodebug=all # crlcheckinterval=600 # strictcrlpolicy=yes # cachecrls=yes interfaces=ipsec0=eth0 nat_traversal=yes charonstart=yes plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net left=192.168.1.175 leftnexthop=192.168.1.1 leftsubnet=172.16.0.0/24 left...@moon.strongswan.org leftfirewall=yes right=8.19.101.8 rightsubnet=10.2.0.0/16 right...@sun.strongswan.org auto=add running the command ipsec start generates: Starting strongSwan 4.2.4 IPsec [starter]... charon is already running (/var/run/charon.pid exists) -- skipping charon start no default route - cannot cope with %defaultroute!!! \starter is already running (/var/run/starter.pid exists) -- no fork done I dont understand why its saying cannot cope with %defaultroute!!! since no where in the config does it specify %defaultroute This is just a test bed, but if I can get strongswan to start correctly then I will put it on a live IP and connect it with a cloud server that is running strongswan to test. I have installed it on 8.19.101.8 (cloud server, base debian) and it worked just fine. I know im throwing alot of info out there, hopefully someone can help. TIA ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users