« Previous -
Next » -
Andreas Steffen, 25.06.2012 11:51
Sending of Cisco Unity VID is supported now
Charon-Pluto IKEv1 Interoperability¶
Migration from Pluto to Charon¶
- We've tried hard to support most pluto configurations in charon. But please keep in mind that IKEv1 in charon is a completely new implementation and that it might behave differently than IKEv1 in pluto.
- The ipsec.conf config setup section ceased to support any of the pluto specific keywords as well as plutostart and charonstart. NAT-Traversal is always enabled in charon, for both IKEv1 and IKEv2. The IKEv2 eap keyword has been removed.
Deprecated, but still supported keywords¶
- The authby and xauth keywords are still supported, but deprecated. Please migrate your installation to the leftauth / rightauth keywords. XAuth is configured as multiple rounds using leftauth2 / rightauth2 keywords (i.e. leftauth=pubkey, leftauth2=xauth). To configure the new Hybrid Mode, define leftauth=xauth and rightauth=pubkey.
Perfect Forward Secrecy (PFS)¶
- The pfs option has been removed and the default for IKEv1 has been changed from enabled to disabled. To enable PFS both IKEv1 and IKEv2 now use the same syntax, namely listing a Diffie-Hellman group in the ESP proposal, esp=aes128-sha1-modp2048.
Smartcards and PKCS#11¶
- IKEv1 can use the same PKCS#11 backend as IKEv2, all pluto specific PKCS#11 options are obsolete.
Narrowing with rightsubnetwithin¶
- The IKEv1 responder narrowing keyword rightsubnetwithin is not supported anymore, but is an alias for rightsubnet. The leftsubnet / rightsubnet definitions are automatically narrowed if required. Please be aware that IKEv1 does actually not support narrowing, and returning a smaller subnet than requested might confuse the initiator (but works fine with charon). To interoperate with other implementations, make sure your subnet definitions match exactly.
- IKEv1 Mode Config Push Mode is not implemented yet. This might be an issue with Cisco Access Concentrators which usually force Mode Config Push Mode in the absence of XAUTH-based authentication.
- Support of some known Cisco quirks, e.g. tolerating surplus zero bytes in IKEv1 messages.
- Support of X.509 attribute certificates defining group memberships or roles for remote access users is not completed yet, although most of the necessary charon code is already in place.