Andreas, Many thanks for the info.
Please consider, if we do not have the luxury to use this kernel patch for esp+sha256, i.e., both ends of the tunnel, then can the 2 ends still use esp128-sha2_256? Or does this non-conforming 96bit truncation rule out this combination for phase2? In the latter case, what are our options, are we then only limited to sha1? -Deepak -----Original Message----- From: Andreas Steffen [mailto:[email protected]] Sent: Tuesday, November 10, 2009 3:22 PM To: Gupta, Deepak (Deepak) Cc: 'Martin Willi'; '[email protected]' Subject: Re: [strongSwan] Strongswan support for RHEL5 Gupta, Deepak (Deepak) wrote: > > Martin, > > Many thanks for your reply! I appreciate it. > > Your answers are very helpful. To give you some context, we are in an > effort to support IPsec tunnels with RedHat RHEL 5.3 kernel > (2.6.18-128) (I misstyped before, it is not 5.2). And based on your > answers, it appears that strongswan meets our requirements more than > openswan (would you agree based on the requirements I had mentioned?), > however, is the kernel issue (sha256+esp) strongswan specific? I > would tend to think that this would be an issue for all Ipsec > solutions. > Yes, this is a general issue with the Linux 2.6 kernel. We offered a kernel patch more than a year ago which was unfortunately rejected by the kernel developers because they wanted backward compatibility with the old non-conforming 96-bit truncation. > Regarding the bug for "ipsec statusall", I googled and saw an email > from Johannes that said that RHEL version 5.4 contains the fix for > this, however, it did not mention the RedHat bug number or the kernel > patch. However, Johannes' email from this morning suggests that this > fix went into 5.3 (2.6.18-164 or earlier). Is this issue Ipsec issue > or a strongswan issue? > This is an IPsec issue with the Linux 2.6 kernel. After some haggling RedHat recognized this and fixed the bug. BTW, if there is any info available on this > bug (redhat bug number etc.) or linux kernel patch, please let us know > so we can try to evaluate how best to apply it. I have done some > limited searching for this on RedHat's web site but did not find this > bug for either the 5.3 (2.6.18-128) or 5.4 kernels. > > Regards, > > -Deepak Best regards Andreas ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
