[Openswan Users] Openswan support for Ipsec v3

Gupta, Deepak (Deepak) deepak.dg.gupta at alcatel-lucent.com
Thu Nov 5 14:37:36 EST 2009 

Paul,

Many many thanks for your reply.  I appreciate it.

>From one of your earlier postings (https://gsoc.xelerance.com/issues/496) I gathered that SHA2 can be set for esp as per the following:

ike=aes256-sha1-4096
esp=aes256-sha2_256-4096
 
And, I also find that the file _startnetkey (not KLIPS) delivered by the IPsec rpm loads all the cipher .ko's.  I was just wondering, for example in the case above, when we specify sha2_256, will pluto load the sha256.ko module automatically?

Thanks,

-Deepak


-----Original Message-----
From: Gupta, Deepak (Deepak) 
Sent: Wednesday, November 04, 2009 2:15 PM
To: 'Paul Wouters'
Cc: 'users at openswan.org'
Subject: RE: [Openswan Users] Openswan support for Ipsec v3


Paul,

Its really good to know that all these algs are supported, however, are these named differently in the man pages? Or perhaps these just haven't been updated in the ipsec.conf man page?  Is there a place I can get a complete list of esp and ike algs (including pfsgroups)?

Regarding support for Ipsec v3, the openswan docs do not list the 4301 and 4303 RFC's in the list of supported RFC's.  Is this because the doc is outdated, or, is it that openswan implements the earlier original RFC's and has some features added from the new RFC's, but not comprehensive support of the new RFC's?  Pardon my ignorance, but, I am not intricately aware of all the differences between the 2 main RFC's (the old and the new), so I can't ask you of support for particular features.  We have a requirement to support Ipsec v3, does openswan 2.6.14 basically "meet" that?

Thanks,

-Deepak



-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Wednesday, November 04, 2009 4:15 AM
To: Gupta, Deepak (Deepak)
Cc: 'users at openswan.org'
Subject: Re: [Openswan Users] Openswan support for Ipsec v3

On Tue, 3 Nov 2009, Gupta, Deepak (Deepak) wrote:

> Can someone shed some light on openswan's support for Ipsec version 3 (RFC4301 & RFC4303)?  Does openswan 2.6.14 support these RFC's fully?

I'm not sure about "fully".

> Aes128-cbc for enc

Yes.

> HMAC SHA 256 for integrity

Yes.

> 2048RSA-SHA256 for peer auth

This is not esp but ike?

> For IKE:
>
> HMAC-SHA1

Yes

> 2048modp (DH Group)

Yes

> HMAC-SHA256 for integrity

Yes

> 2048RSA-SHA256 for peer auth

Yes.

Paul

More information about the Users mailing list