Hi all,
Does anyone know how to turn on ECDH groups for IKEv1 negotiation in
Strongswan? Here is what I did for my test and it didn't work.
1/ Download latest strongswan tarball v4.3.6.
2/ Install strongswan.
./configure -enable-openssl
make
make install
3/ Configure p1 proposal with ecdh group for strongswan conn.
ike=3des-sha1-ecp256
4/ Initiate peer connection with DH group 19. I got the following error from
strongswan log.
*****parsse ISAKMP oakley attribute:
af+type: OAKLEY_GROUP_DESCRIPTION
length/value: 19
[19 is ECP_256]
"ssg20" #1: ECP_256 is not supported.
"ssg20" #1: no acceptable oakley transform
"ssg20" #1: sending notification NO_PROPOSAL_CHOSE to 10.158.30.23:500
5/ Here is what I got from "sudo ipsec listalgs". I don't see ECC groups being
listed.
test:~/strongswan-4.3.6$ sudo ipsec version
Linux strongSwan U4.3.6/K2.6.15-27-386
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
test:~/strongswan-4.3.6$ sudo ipsec listalgs
000
000 List of registered IKEv1 Algorithms:
000
000 encryption: 3DES_CBC AES_CBC
000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_SHA2_384 HMAC_SHA2_512
000 dh-group: MODP_1024 MODP_1536 MODP_2048 MODP_3072 MODP_4096 MODP_6144
MODP_8192
000
000 List of registered ESP Algorithms:
000
000 encryption: DES_CBC 3DES_CBC BLOWFISH_CBC NULL AES_CBC AES_CCM_8
AES_CCM_12 AES_CCM_16 AES_GCM_8 AES_GCM_12 AES_GCM_16 SERPENT_CBC TWOFISH_CBC
000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 NULL HMAC_SHA2_256_96
Thanks.
Songling
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
