Martin,
Many thanks for your reply! I appreciate it. Your answers are very helpful. To give you some context, we are in an effort to support IPsec tunnels with RedHat RHEL 5.3 kernel (2.6.18-128) (I misstyped before, it is not 5.2). And based on your answers, it appears that strongswan meets our requirements more than openswan (would you agree based on the requirements I had mentioned?), however, is the kernel issue (sha256+esp) strongswan specific? I would tend to think that this would be an issue for all Ipsec solutions. Regarding the bug for "ipsec statusall", I googled and saw an email from Johannes that said that RHEL version 5.4 contains the fix for this, however, it did not mention the RedHat bug number or the kernel patch. However, Johannes' email from this morning suggests that this fix went into 5.3 (2.6.18-164 or earlier). Is this issue Ipsec issue or a strongswan issue? BTW, if there is any info available on this bug (redhat bug number etc.) or linux kernel patch, please let us know so we can try to evaluate how best to apply it. I have done some limited searching for this on RedHat's web site but did not find this bug for either the 5.3 (2.6.18-128) or 5.4 kernels. Regards, -Deepak -----Original Message----- From: Martin Willi [mailto:[email protected]] Sent: Tuesday, November 10, 2009 4:49 AM To: Gupta, Deepak (Deepak) Cc: '[email protected]' Subject: Re: [strongSwan] Strongswan support for RHEL5 Hi, > Ipsec v3 (RFC's 4301 and 4303) The Linux kernel does not completely support the new IPsec standards. It currently does not support Extended Sequence Numbers or Traffic Selector ranges (only complete subnets). > IKEv2 > OCSP (over http) for CRL's and CA management Automatic Keying > Ike=aes128-sha2_256-modp2048 This is supported by strongSwan. > Esp=aes128-sha2_256 The Linux kernel uses an incorrect truncation scheme for ESP packets with SHA256. You might try to use the patch available at [1] to use the correct 96-bit truncation. > 1. Does strongswan support RHEL5.2 (x86_64 64 bit)? It should. There was a bug in earlier RHELs, where querying SAs in the kernel immediately deletes them. I don't know if this is still correct for 5.2, but you'll see SAs disappearing when running "ipsec statusall". > 2. Are there are any known issues for this version of this OS for the > IPsec params mentioned above? As mentioned. > 3. Where can I find rpms for RHEL5? There are no official RPMs for RHEL. There is currently a discussion about spec files on this list, you might want to try one of these. Regards Martin [1]http://kerneltrap.org/mailarchive/linux-kernel/2008/6/5/2039114 _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
