Project

General

Profile

Charon-Pluto IKEv1 Interoperability » History » Version 7

« Previous - Version 7/24 (diff) - Next » - Current version
Martin Willi, 14.06.2012 11:10


Charon-Pluto IKEv1 Interoperability

Migration from Pluto to Charon

We've tried hard to support most of pluto configurations in charon. But please keep in mind that IKEv1 in charon is a completely new implementation and that it might behave different than IKEv1 in pluto.

Obsolete keywords

The ipsec.conf config setup section does not support any of the Pluto specific keywords, nor the plutostart, charonstart or crlcache keywords.

NAT-Traversal is always enabled in charon, for both IKEv1 and IKEv2. The IKEv2 eap keywords has been removed.

Deprecated, but still supported keywords

The authby and xauth keywords are still supported, but deprecated. Please migrate your installation to the leftauth / rightauth keywords. XAuth is configured as multiple rounds using leftauth2 / rightauth2 keywords (i.e. leftauth=pubkey, leftauth2_=xauth). To configure the new Hybrid Mode, define _leftauth=xauth and rightauth=pubkey.

Perfect Forward Secrecy (PFS)

The pfs option has been removed. IKEv1 now uses the same syntax to define PFS as we use it in IKEv2. To enable PFS, include the Diffie-Hellman group in your ESP proposal, esp=aes128-sha1-modp2048.

Smartcards and PKCS#11

IKEv1 can use the same PKCS#11 backend as IKEv2, all pluto specific PKCS#11 options are obsolete.