Charon-Pluto IKEv1 Interoperability » History » Version 12
Andreas Steffen, 14.06.2012 13:01
| 1 | 2 | Andreas Steffen | h1. Charon-Pluto IKEv1 Interoperability |
|---|---|---|---|
| 2 | 1 | Andreas Steffen | |
| 3 | 3 | Andreas Steffen | * "IKEv1 Interoperability Test Cases":http://www.strongswan.org/uml/pluto_charon_ikev1_interoperability/ between the strongSwan Charon and Pluto daemons. |
| 4 | 4 | Martin Willi | |
| 5 | 4 | Martin Willi | h1. Migration from Pluto to Charon |
| 6 | 4 | Martin Willi | |
| 7 | 10 | Tobias Brunner | We've tried hard to support most pluto configurations in charon. But please keep in mind that IKEv1 in charon is a completely new implementation and that it might behave differently than IKEv1 in pluto. |
| 8 | 4 | Martin Willi | |
| 9 | 4 | Martin Willi | |
| 10 | 4 | Martin Willi | h2. Obsolete keywords |
| 11 | 4 | Martin Willi | |
| 12 | 12 | Andreas Steffen | The [[IpsecConf|ipsec.conf]] [[ConfigSetupSection|config setup]] section ceased to support any of the [[ConfigSetupSection#IKEv1-pluto-daemon-only|pluto specific]] keywords as well as _plutostart_ and _charonstart_. NAT-Traversal is always enabled in charon, for both IKEv1 and IKEv2. The IKEv2 _eap_ keyword has been removed. |
| 13 | 4 | Martin Willi | |
| 14 | 4 | Martin Willi | h2. Deprecated, but still supported keywords |
| 15 | 4 | Martin Willi | |
| 16 | 4 | Martin Willi | The _authby_ and _xauth_ keywords are still supported, but deprecated. Please migrate your installation to the _leftauth_ / _rightauth_ keywords. XAuth is configured as multiple rounds using _leftauth2_ / _rightauth2_ keywords (i.e. _leftauth=pubkey_, _leftauth2_=xauth). To configure the new Hybrid Mode, define _leftauth=xauth_ and _rightauth=pubkey_. |
| 17 | 5 | Martin Willi | |
| 18 | 5 | Martin Willi | h2. Perfect Forward Secrecy (PFS) |
| 19 | 5 | Martin Willi | |
| 20 | 10 | Tobias Brunner | The _pfs_ option has been removed. To enable PFS both IKEv1 and IKEv2 now use the same syntax, namely listing a Diffie-Hellman group in the ESP proposal, _esp=aes128-sha1-modp2048_. |
| 21 | 6 | Martin Willi | |
| 22 | 6 | Martin Willi | h2. Smartcards and PKCS#11 |
| 23 | 6 | Martin Willi | |
| 24 | 6 | Martin Willi | IKEv1 can use the same [[SmartCardsIKEv2|PKCS#11 backend]] as IKEv2, all pluto specific PKCS#11 options are obsolete. |
| 25 | 8 | Martin Willi | |
| 26 | 8 | Martin Willi | h2. Narrowing with _rightsubnetwithin_ |
| 27 | 8 | Martin Willi | |
| 28 | 10 | Tobias Brunner | The IKEv1 responder narrowing keyword _rightsubnetwithin_ is not supported anymore, but is an alias for _rightsubnet_. The _leftsubnet_ / _rightsubnet_ definitions are automatically narrowed if required. Please be aware that IKEv1 does actually not support narrowing, and returning a smaller subnet than requested might confuse the initiator (but works fine with charon). To interoperate with other implementations, make sure your subnet definitions match exactly. |