Charon-Pluto IKEv1 Interoperability » History » Version 10

Tobias Brunner, 14.06.2012 11:45

1 2 Andreas Steffen
h1. Charon-Pluto IKEv1 Interoperability
2 1 Andreas Steffen
3 3 Andreas Steffen
* "IKEv1 Interoperability Test Cases": between the strongSwan Charon and Pluto daemons.
4 4 Martin Willi
5 4 Martin Willi
h1. Migration from Pluto to Charon
6 4 Martin Willi
7 10 Tobias Brunner
We've tried hard to support most pluto configurations in charon. But please keep in mind that IKEv1 in charon is a completely new implementation and that it might behave differently than IKEv1 in pluto.
8 4 Martin Willi
9 4 Martin Willi
10 4 Martin Willi
h2. Obsolete keywords
11 4 Martin Willi
12 10 Tobias Brunner
The [[IpsecConf|ipsec.conf]] [[ConfigSetupSection|config setup]] section does not support any of the [[ConfigSetupSection#IKEv1-pluto-daemon-only|pluto specific]] keywords, nor the _plutostart_, _charonstart_ or _crlcache_ keywords. 
13 4 Martin Willi
14 4 Martin Willi
NAT-Traversal is always enabled in charon, for both IKEv1 and IKEv2. The IKEv2 _eap_ keywords has been removed.
15 4 Martin Willi
16 4 Martin Willi
h2. Deprecated, but still supported keywords
17 4 Martin Willi
18 4 Martin Willi
The _authby_ and _xauth_ keywords are still supported, but deprecated. Please migrate your installation to the _leftauth_ / _rightauth_ keywords. XAuth is configured as multiple rounds using _leftauth2_ / _rightauth2_ keywords (i.e. _leftauth=pubkey_, _leftauth2_=xauth). To configure the new Hybrid Mode, define _leftauth=xauth_ and _rightauth=pubkey_.
19 5 Martin Willi
20 5 Martin Willi
h2. Perfect Forward Secrecy (PFS)
21 5 Martin Willi
22 10 Tobias Brunner
The _pfs_ option has been removed. To enable PFS both IKEv1 and IKEv2 now use the same syntax, namely listing a Diffie-Hellman group in the ESP proposal, _esp=aes128-sha1-modp2048_.
23 6 Martin Willi
24 6 Martin Willi
h2. Smartcards and PKCS#11
25 6 Martin Willi
26 6 Martin Willi
IKEv1 can use the same [[SmartCardsIKEv2|PKCS#11 backend]] as IKEv2, all pluto specific PKCS#11 options are obsolete.
27 8 Martin Willi
28 8 Martin Willi
h2. Narrowing with _rightsubnetwithin_
29 8 Martin Willi
30 10 Tobias Brunner
The IKEv1 responder narrowing keyword _rightsubnetwithin_ is not supported anymore, but is an alias for _rightsubnet_. The _leftsubnet_ / _rightsubnet_ definitions are automatically narrowed if required. Please be aware that IKEv1 does actually not support narrowing, and returning a smaller subnet than requested might confuse the initiator (but works fine with charon). To interoperate with other implementations, make sure your subnet definitions match exactly.