[Openswan Users] Openswan support for Ipsec v3

Gupta, Deepak (Deepak) deepak.dg.gupta at alcatel-lucent.com
Wed Nov 4 14:14:57 EST 2009


Paul,

Its really good to know that all these algs are supported, however, are these named differently in the man pages? Or perhaps these just haven't been updated in the ipsec.conf man page?  Is there a place I can get a complete list of esp and ike algs (including pfsgroups)?

Regarding support for Ipsec v3, the openswan docs do not list the 4301 and 4303 RFC's in the list of supported RFC's.  Is this because the doc is outdated, or, is it that openswan implements the earlier original RFC's and has some features added from the new RFC's, but not comprehensive support of the new RFC's?  Pardon my ignorance, but, I am not intricately aware of all the differences between the 2 main RFC's (the old and the new), so I can't ask you of support for particular features.  We have a requirement to support Ipsec v3, does openswan 2.6.14 basically "meet" that?

Thanks,

-Deepak



-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Wednesday, November 04, 2009 4:15 AM
To: Gupta, Deepak (Deepak)
Cc: 'users at openswan.org'
Subject: Re: [Openswan Users] Openswan support for Ipsec v3

On Tue, 3 Nov 2009, Gupta, Deepak (Deepak) wrote:

> Can someone shed some light on openswan's support for Ipsec version 3 (RFC4301 & RFC4303)?  Does openswan 2.6.14 support these RFC's fully?

I'm not sure about "fully".

> Aes128-cbc for enc

Yes.

> HMAC SHA 256 for integrity

Yes.

> 2048RSA-SHA256 for peer auth

This is not esp but ike?

> For IKE:
>
> HMAC-SHA1

Yes

> 2048modp (DH Group)

Yes

> HMAC-SHA256 for integrity

Yes

> 2048RSA-SHA256 for peer auth

Yes.

Paul


More information about the Users mailing list