Charon-Pluto IKEv1 Interoperability » History » Version 21

Martin Willi, 02.07.2014 12:48
Updated missing features

1 2 Andreas Steffen
h1. Charon-Pluto IKEv1 Interoperability
2 1 Andreas Steffen
3 3 Andreas Steffen
* "IKEv1 Interoperability Test Cases": between the strongSwan Charon and Pluto daemons.
4 4 Martin Willi
5 4 Martin Willi
h1. Migration from Pluto to Charon
6 4 Martin Willi
7 17 Andreas Steffen
* We've tried hard to support most pluto configurations in charon. But please keep in mind that IKEv1 in charon is a completely new implementation and that it might behave differently than IKEv1 in pluto.
8 4 Martin Willi
9 4 Martin Willi
10 4 Martin Willi
h2. Obsolete keywords
11 4 Martin Willi
12 17 Andreas Steffen
* The [[IpsecConf|ipsec.conf]] [[ConfigSetupSection|config setup]] section ceased to support any of the [[ConfigSetupSection#IKEv1-pluto-daemon-only|pluto specific]] keywords as well as _plutostart_ and _charonstart_. NAT-Traversal is always enabled in charon, for both IKEv1 and IKEv2. The IKEv2 _eap_ keyword has been removed.
13 4 Martin Willi
14 4 Martin Willi
h2. Deprecated, but still supported keywords
15 4 Martin Willi
16 17 Andreas Steffen
* The _authby_ and _xauth_ keywords are still supported, but deprecated. Please migrate your installation to the _leftauth_ / _rightauth_ keywords. XAuth is configured as multiple rounds using _leftauth2_ / _rightauth2_ keywords (i.e. _leftauth=pubkey_, _leftauth2_=xauth). To configure the new Hybrid Mode, define _leftauth=xauth_ and _rightauth=pubkey_.
17 5 Martin Willi
18 5 Martin Willi
h2. Perfect Forward Secrecy (PFS)
19 5 Martin Willi
20 17 Andreas Steffen
* The _pfs_ option has been removed and the default for IKEv1 has been changed from enabled to disabled. To enable PFS both IKEv1 and IKEv2 now use the same syntax, namely listing a Diffie-Hellman group in the ESP proposal, _esp=aes128-sha1-modp2048_.
21 6 Martin Willi
22 6 Martin Willi
h2. Smartcards and PKCS#11
23 6 Martin Willi
24 17 Andreas Steffen
* IKEv1 can use the same [[SmartCardsIKEv2|PKCS#11 backend]] as IKEv2, all pluto specific PKCS#11 options are obsolete.
25 8 Martin Willi
26 8 Martin Willi
h2. Narrowing with _rightsubnetwithin_
27 8 Martin Willi
28 17 Andreas Steffen
* The IKEv1 responder narrowing keyword _rightsubnetwithin_ is not supported anymore, but is an alias for _rightsubnet_. The _leftsubnet_ / _rightsubnet_ definitions are automatically narrowed if required. Please be aware that IKEv1 does actually not support narrowing, and returning a smaller subnet than requested might confuse the initiator (but works fine with charon). To interoperate with other implementations, make sure your subnet definitions match exactly.
29 14 Andreas Steffen
30 14 Andreas Steffen
h2. Missing Features
31 14 Andreas Steffen
32 21 Martin Willi
* -IKEv1 Mode Config Push Mode is not implemented yet. This might be an issue with Cisco Access Concentrators which usually force Mode Config Push Mode in the absence of XAUTH-based authentication.- [[5.1.1]]
33 14 Andreas Steffen
34 19 Andreas Steffen
* Support of some known Cisco quirks, e.g. tolerating surplus zero bytes in IKEv1 messages.
35 14 Andreas Steffen
36 21 Martin Willi
* -Support of X.509 attribute certificates defining group memberships or roles for remote access users is not completed yet, although most of the necessary charon code is already in place.- [[5.1.3]]
37 20 Martin Willi
38 21 Martin Willi
* -draft-ietf-ipsec-nat-t-ike-02 style NAT traversal, as used by Windows XP, is currently not supported. RFC 3947 NAT traversal is fully supported.- [[5.0.2]]