Project

General

Profile

Issue #3652

In strongswan ipsec.conf, how to set the "ike" parameters so that it can support all hash Algorithm and DH group server support?

Added by ray chao 10 months ago. Updated 10 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.9.1
Resolution:

Description

In the* openswan config settings,"ike = 3des"*

This represents the connection use Encryption Algorithm "3des" and Any left out option will be filled in with all allowed default options.

But in strongswan when use the same config setting "ike = 3des",it will show "no IKE config found for..." and establish fail.

If I want to achieve this behavior, how should I set the ike parameter or strongswan not support this feature?

ipsec.conf parameter manual page:
openswan:
https://linux.die.net/man/5/ipsec.conf
strongswan:
https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

History

#1 Updated by Tobias Brunner 10 months ago

  • Category set to configuration
  • Status changed from New to Feedback

There are no such default values for strongSwan (other than the actual default proposal, which does include 3des, but the DH groups are probably too strong). Read the documentation for the ike setting on the page you linked for the correct syntax. A linked page there will also get you to the list of valid algorithm keywords.

#2 Updated by ray chao 10 months ago

So,if i want to set multiple Hash Algorithm and DH group,
I can write as follows:
ike=aes128-md5-sha1-sha256-modp1024-modp768-modp1536-modp2048

to support

Hash Algorithm:
md5,sha1,sha256

DH Group:
modp1024,modp768,modp1536,modp2048

#3 Updated by Tobias Brunner 10 months ago

So,if i want to set multiple Hash Algorithm and DH group,
I can write as follows:
ike=aes128-md5-sha1-sha256-modp1024-modp768-modp1536-modp2048

Only for IKEv2. For IKEv1, you have to add separate proposals (only the first algorithm of each transform type will be sent).

#4 Updated by ray chao 10 months ago

So,if in ikev1 want to support all hash and dh group combinations,i have to enumerate all combination??
Ex:
aes128-md5-modp1024,aes128-md5-modp768,aes128-md5-modp1536,aes128-md5-modp2048,aes128-sha1-modp1024,aes128-sha1-modp768,aes128-sha1-modp1536.....

Hash Algorithm:
md5,sha1,sha256

DH Group:
modp1024,modp768,modp1536,modp2048

#5 Updated by Tobias Brunner 10 months ago

So,if in ikev1 want to support all hash and dh group combinations,i have to enumerate all combination??

Yes. But you really should not support some of these algorithms anymore (e.g. md5 or modp768, even modp1024 should only be enabled as fallback for old peers).

Also available in: Atom PDF