Hi Deepak, if both sides use the same Linux kernel implementation then interoperability with sha2_256_96 is of course possible.
Unfortunately there is no stronger alternative with true 128 bit strength since AES-XCBC data integrity is also truncated to 96 bits and AES-GCM is not available yet with 2.6.18. Best regards Andreas Gupta, Deepak (Deepak) wrote: > Andreas, > > Many thanks for the info. > > Please consider, if we do not have the luxury to use this kernel > patch for esp+sha256, i.e., both ends of the tunnel, then can the 2 > ends still use esp128-sha2_256? Or does this non-conforming 96bit > truncation rule out this combination for phase2? In the latter case, > what are our options, are we then only limited to sha1? > > -Deepak > > > -----Original Message----- From: Andreas Steffen > [mailto:[email protected]] Sent: Tuesday, November 10, > 2009 3:22 PM To: Gupta, Deepak (Deepak) Cc: 'Martin Willi'; > '[email protected]' Subject: Re: [strongSwan] Strongswan > support for RHEL5 > > Gupta, Deepak (Deepak) wrote: >> Martin, >> >> Many thanks for your reply! I appreciate it. >> >> Your answers are very helpful. To give you some context, we are in >> an effort to support IPsec tunnels with RedHat RHEL 5.3 kernel >> (2.6.18-128) (I misstyped before, it is not 5.2). And based on >> your answers, it appears that strongswan meets our requirements >> more than openswan (would you agree based on the requirements I had >> mentioned?), however, is the kernel issue (sha256+esp) strongswan >> specific? I would tend to think that this would be an issue for >> all Ipsec solutions. >> > Yes, this is a general issue with the Linux 2.6 kernel. We offered a > kernel patch more than a year ago which was unfortunately rejected by > the kernel developers because they wanted backward compatibility with > the old non-conforming 96-bit truncation. > >> Regarding the bug for "ipsec statusall", I googled and saw an email >> from Johannes that said that RHEL version 5.4 contains the fix for >> this, however, it did not mention the RedHat bug number or the >> kernel patch. However, Johannes' email from this morning suggests >> that this fix went into 5.3 (2.6.18-164 or earlier). Is this issue >> Ipsec issue or a strongswan issue? >> > This is an IPsec issue with the Linux 2.6 kernel. After some haggling > RedHat recognized this and fixed the bug. > > BTW, if there is any info available on this >> bug (redhat bug number etc.) or linux kernel patch, please let us >> know so we can try to evaluate how best to apply it. I have done >> some limited searching for this on RedHat's web site but did not >> find this bug for either the 5.3 (2.6.18-128) or 5.4 kernels. >> >> Regards, >> >> -Deepak > > Best regards > > Andreas ===================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
