[Openswan Users] Should Openswan 2.6.24 do kernel patch?
mix.kao
mix.kao at cipherium.com.tw
Sat Feb 6 03:26:08 EST 2010
Hello,
i built the openswan 2.6.24 (klips) and kernel 2.6.28 to do IPSec.
Does the openswan still need to patch my kernel source? Or in this
version, we no need to patch the kernel?
Another question about the DES encryption
I know the DES is not secure anymore.
I found some curious symptom below
I install the openswan 2.6.24 in my ARCH Linux with DES support
I can get DES support in phase 2 (ESP_DES), but there is not DES support
in phase 1 (IKE)
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth1/eth1 10.30.17.1
000 interface eth1/eth1 10.30.17.1
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 3 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= was not specified, or there was a
syntax
000 error in that line. 'left/rightsubnet=%priv' will not work!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
==================================================================================
I compiled the Openswan 2.6.24 with OCF and WEAK_STUFF support (ixp4xx
platform)
# should we include all manner of known to be broken/weak?
# use this only if you are building some kind of a testing
# device. Normal use does not need any of this.
USE_WEAKSTUFF?=true
# Build algorithms that don't even encrypt (also must set WEAKSTUFF)
# unless you are doing negative testing, turning this on is foolish.
USE_NOCRYPTO?=true
We can see i get the DES support in phase 1 (OAKLEY_DES_CBC)
But not DES support in phase 2.....
The same version of openswan
Can i say openswan 2.6.24 still support DES in phase 1/2 but how to
enable it or how to make it work?
000 using kernel interface: klips
000 interface ipsec0/lo 127.0.0.1
000 interface ipsec1/ixp0 10.29.3.21
000 interface ipsec3/eth10 192.168.1.1
000 interface ipsec4/eth11 192.168.2.254
000 interface ipsec5/eth12 192.168.3.1
000 interface ipsec6/eth13 192.168.4.1
000 interface ipsec7/eth14 192.168.55.1
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= was not specified, or there was a
syntax
000 error in that line. 'left/rightsubnet=%priv' will not work!
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=1, name=OAKLEY_DES_CBC, blocksize=8,
keydeflen=64
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
More information about the Users
mailing list