Project

General

Profile

Feature #863

Regarding support of sha-256 in Strongswan

Added by Sarabjit Kaur over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
High
Category:
libstrongswan
Target version:
Start date:
25.02.2015
Due date:
Estimated time:
Resolution:
Fixed

Description

Hello,

Please let me know if strongswan supports SHA-256 algorithm.
When I had a look at the signing mechanism for the AUTH, I could see that only SHA-1 is supported.
By what means can I make use of SHA-256 for the IKEv2 procedures?

would be greatful if any help on the same can be provided.

Associated revisions

Revision 0a8268d0
Added by Tobias Brunner over 5 years ago

Merge branch 'ikev2-signature-authentication'

This adds support for RFC 7427 signature authentication in IKEv2,
enabling the use of stronger signature schemes (e.g. RSA with SHA-2)
for IKE authentication.

Public key constraints defined in `rightauth` are now also checked
against IKEv2 signature schemes (may be disabled via strongswan.conf).

Fixes #863.

History

#1 Updated by Dao Wei Lim over 5 years ago

Sarabjit Kaur wrote:

Hello,

Please let me know if strongswan supports SHA-256 algorithm.
When I had a look at the signing mechanism for the AUTH, I could see that only SHA-1 is supported.
By what means can I make use of SHA-256 for the IKEv2 procedures?

would be greatful if any help on the same can be provided.

Make use of SHA256 for IKEv2?

Not sure if this is what you are looking for. Refer to https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites for complete list of IKEv2 Cipher Suites supported by Strongswan.

An implementation example would be to include the following into your ipsec.conf:

ike=aes256-sha2_256-modp2048!
esp=aes256-sha2_256!

First line specify IKE phase 1 to strictly use only AES256 for encryption, SHA256 for cryptographic hash and DH Group 14 for key exchange.
Second line is to specify for IKE Phase 2.

#2 Updated by Andreas Steffen over 5 years ago

  • Status changed from New to Feedback
  • Assignee changed from Martin Willi to Andreas Steffen

Hi,
the forthcoming strongswan-5.3.0 release is going to support RFC 7427 "Signature Authentication in IKEv2" which allows to negotiate any of the following hash algorithms to be used for signing the auth payload: SHA1, SHA2-256, SHA2-384, and SHA2-512. If you want to experiment with the new feature please check out the ikev2-sig-auth branch from our git repository:

http://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/ikev2-sig-auth

Regards

Andreas

#3 Updated by Tobias Brunner over 5 years ago

  • Tracker changed from Issue to Feature
  • Assignee changed from Andreas Steffen to Tobias Brunner
  • Target version set to 5.3.0
  • Resolution set to Fixed

I've merged the ikev2-sig-auth branch to master.

#4 Updated by Tobias Brunner over 5 years ago

  • Status changed from Feedback to Closed

Also available in: Atom PDF