Charon-Pluto IKEv1 Interoperability » History » Version 13
Version 12 (Andreas Steffen, 14.06.2012 13:01) → Version 13/24 (Andreas Steffen, 15.06.2012 08:37)
h1. Charon-Pluto IKEv1 Interoperability
* "IKEv1 Interoperability Test Cases":http://www.strongswan.org/uml/pluto_charon_ikev1_interoperability/ between the strongSwan Charon and Pluto daemons.
h1. Migration from Pluto to Charon
We've tried hard to support most pluto configurations in charon. But please keep in mind that IKEv1 in charon is a completely new implementation and that it might behave differently than IKEv1 in pluto.
h2. Obsolete keywords
The [[IpsecConf|ipsec.conf]] [[ConfigSetupSection|config setup]] section ceased to support any of the [[ConfigSetupSection#IKEv1-pluto-daemon-only|pluto specific]] keywords as well as _plutostart_ and _charonstart_. NAT-Traversal is always enabled in charon, for both IKEv1 and IKEv2. The IKEv2 _eap_ keyword has been removed.
h2. Deprecated, but still supported keywords
The _authby_ and _xauth_ keywords are still supported, but deprecated. Please migrate your installation to the _leftauth_ / _rightauth_ keywords. XAuth is configured as multiple rounds using _leftauth2_ / _rightauth2_ keywords (i.e. _leftauth=pubkey_, _leftauth2_=xauth). To configure the new Hybrid Mode, define _leftauth=xauth_ and _rightauth=pubkey_.
h2. Perfect Forward Secrecy (PFS)
The _pfs_ option has been removed and the default for IKEv1 has been changed from enabled to disabled. removed. To enable PFS both IKEv1 and IKEv2 now use the same syntax, namely listing a Diffie-Hellman group in the ESP proposal, _esp=aes128-sha1-modp2048_.
h2. Smartcards and PKCS#11
IKEv1 can use the same [[SmartCardsIKEv2|PKCS#11 backend]] as IKEv2, all pluto specific PKCS#11 options are obsolete.
h2. Narrowing with _rightsubnetwithin_
The IKEv1 responder narrowing keyword _rightsubnetwithin_ is not supported anymore, but is an alias for _rightsubnet_. The _leftsubnet_ / _rightsubnet_ definitions are automatically narrowed if required. Please be aware that IKEv1 does actually not support narrowing, and returning a smaller subnet than requested might confuse the initiator (but works fine with charon). To interoperate with other implementations, make sure your subnet definitions match exactly.
* "IKEv1 Interoperability Test Cases":http://www.strongswan.org/uml/pluto_charon_ikev1_interoperability/ between the strongSwan Charon and Pluto daemons.
h1. Migration from Pluto to Charon
We've tried hard to support most pluto configurations in charon. But please keep in mind that IKEv1 in charon is a completely new implementation and that it might behave differently than IKEv1 in pluto.
h2. Obsolete keywords
The [[IpsecConf|ipsec.conf]] [[ConfigSetupSection|config setup]] section ceased to support any of the [[ConfigSetupSection#IKEv1-pluto-daemon-only|pluto specific]] keywords as well as _plutostart_ and _charonstart_. NAT-Traversal is always enabled in charon, for both IKEv1 and IKEv2. The IKEv2 _eap_ keyword has been removed.
h2. Deprecated, but still supported keywords
The _authby_ and _xauth_ keywords are still supported, but deprecated. Please migrate your installation to the _leftauth_ / _rightauth_ keywords. XAuth is configured as multiple rounds using _leftauth2_ / _rightauth2_ keywords (i.e. _leftauth=pubkey_, _leftauth2_=xauth). To configure the new Hybrid Mode, define _leftauth=xauth_ and _rightauth=pubkey_.
h2. Perfect Forward Secrecy (PFS)
The _pfs_ option has been removed and the default for IKEv1 has been changed from enabled to disabled. removed. To enable PFS both IKEv1 and IKEv2 now use the same syntax, namely listing a Diffie-Hellman group in the ESP proposal, _esp=aes128-sha1-modp2048_.
h2. Smartcards and PKCS#11
IKEv1 can use the same [[SmartCardsIKEv2|PKCS#11 backend]] as IKEv2, all pluto specific PKCS#11 options are obsolete.
h2. Narrowing with _rightsubnetwithin_
The IKEv1 responder narrowing keyword _rightsubnetwithin_ is not supported anymore, but is an alias for _rightsubnet_. The _leftsubnet_ / _rightsubnet_ definitions are automatically narrowed if required. Please be aware that IKEv1 does actually not support narrowing, and returning a smaller subnet than requested might confuse the initiator (but works fine with charon). To interoperate with other implementations, make sure your subnet definitions match exactly.