[strongSwan] Which plugins do what and which can I leave out?

Wed, 20 May 2009 14:37:20 -0700 

Dear All,

    I've tried finding information on the plugins used by strongSwan and
    have failed miserably. I'm hoping someone here can please throw some
    light on the matter.

    We're using eap-sim and eap-aka mechanisms to set up the tunnel. So
    I have configured and built strongSwan with --disable-pluto to save
    space in the installation.

    We've also got openssl already installed, so I've also built with
    --enable-openssl.

    Now I'm looking to trim back the strongSwan plugins we don't need to
    build and install.

    Part 1
    ======

    Which plugins can I get rid of when openssl is being used ?

    I tried adding openssl to the list of plugins in strongswan.conf and
    removing the following:

        aes des sha1 sha2 md5 gmp xcbc fips-prf

    However, with these removed, the tunnel does not come up. A little
    experimentation shows that I have to add fips-prf (okay, I can
    understand this one) and sha1 back in.

    Why do I need to add sha1 back in ?

    Doesn't the openssl plugin provide the same sha1 capability (via
    openssl) ?

    Part 2
    ======

    Is there a description anywhere of what the various plugins do ?

    Which plugins require other plugins ?

    Which can be removed when using openssl ?

    If I use "fips-prf", can I remove "random" ? Or are they not
    alternatives ?

    It would also be useful if the UML tests included strongswan.conf
    files that indicated the minimum/specific list of plugins required
    per test rather than seeming to include the "standard set" plus any
    specialist ones required.

    There is a page in the strongSwan wiki here
    <http://wiki.strongswan.org/wiki/strongswan/IKEv2CipherSuites> which
    lists the cipher suites supported for IKEv2. Does this show that
    /only/ the algorithms marked with an "o" will be picked up from
    openssl when the openssl plugin is used ? And that no other
    algorithms which are *not* marked with an "o" will be picked up from
    openssl (e.g. sha1 will not come from openssl) ?

    Hope these questions aren't too noob for everyone!

    Graham.

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to