Project

General

Profile

Issue #2688

Upgrade Question

Added by Stuart Willson 7 months ago. Updated 12 days ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
ikev1
Affected version:
4.5.2
Resolution:
No change required

Description

Hello,

I'm going to be upgrading one of my Strongswan boxes from 4.5.2 to 5.2.1. It's running a single IKEv1 point-to-point tunnel and connecting to a few different remote subnets using 3DES-SHA1 encryption. It seems to be using the Pluto daemon to run the show and it's a very basic config - no certificates or anything. I'd just like to check with you to see if there are any potential problems I might come across when upgrading to the newer version?

Many thanks,

Stuart

History

#1 Updated by Tobias Brunner 7 months ago

  • Status changed from New to Feedback

I'm going to be upgrading one of my Strongswan boxes from 4.5.2 to 5.2.1.

5.2.1 is already very old. Why not upgrade to a more recent version?

It's running a single IKEv1 point-to-point tunnel and connecting to a few different remote subnets using 3DES-SHA1 encryption.

Why upgrade at all then? If you use deprecated protocols there is really no need to upgrade. Or what do you expect to get out of the upgrade?

It seems to be using the Pluto daemon to run the show and it's a very basic config - no certificates or anything. I'd just like to check with you to see if there are any potential problems I might come across when upgrading to the newer version?

Since IKEv1 was implemented from scratch, and the charon daemon works quite differently in some areas, there could very well be (in particular if you upgrade to an old version). Also see CharonPlutoIKEv1.

#2 Updated by Stuart Willson 7 months ago

Hi Tobias,

I know 5.2.1 is very old, but we tend to just install the version from the Debian repos. We're upgrading Strongswan due to the underlying OS going end-of-life and we're unable to pin the package. It would also be nice to have all of our instances running a common version. I believe the other end of the tunnel is an old Cisco box so I'm expecting a whole world of pain. Thank you for the Charon-Pluto interoperability link.

#3 Updated by Noel Kuntze 12 days ago

  • Category set to ikev1
  • Status changed from Feedback to Closed
  • Resolution set to No change required

Also available in: Atom PDF