Hi, First I should note that I'm as guilty as any for adding to the problems here, more recently I've been dumping details into pluto.log so hopefully I'm reformed :-)
The output from: $ ipsec auto --status includes: 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=20, v1name=OAKLEY_AES_GCM_C, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=19, v1name=OAKLEY_AES_GCM_B, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=18, v1name=OAKLEY_AES_GCM_A, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 algorithm IKE dh group: id=19, name=OAKLEY_GROUP_ECP_256, bits=512 000 algorithm IKE dh group: id=20, name=OAKLEY_GROUP_ECP_384, bits=768 000 algorithm IKE dh group: id=21, name=OAKLEY_GROUP_ECP_521, bits=1056 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048 I find the DH list especially bad and the main one I'd like to fix, but I figure I should list all the issues I see: - 'group' and 'oakley' shouldn't appear - for DH19..DH21 should it use "dh19" rather than the poorly defined ECP_256 (seemingly SECP256R1 is the actual name? I should check NIST) - is the ID (and duplicates) helpful to users? Instead include that in pluto.log - are the duplicate names (v1name/v2name/name) helpful? Instead just list a single somewhat official name like AES_CBC - should the allowed key lengths be listed explicitly (on separate lines, say), i.e., AES_CBC_128 - how should IKEv1 vs IKEv2 only algorithms be identified (the GCM algorithms are _not_ IKEv1) - hash is an IKEv1 term, PRF is the IKEv2 term and the more correct name is HMAC_MD5 - is hashlen helpful? Modern algorithms include the 'hashlen' in the name. - upper or lower case? (I suspect upper case would actually be better) Andrew _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
