strongSwan

h1. Charon-Pluto IKEv1 Interoperability

* "IKEv1 Interoperability Test Cases":http://www.strongswan.org/uml/pluto_charon_ikev1_interoperability/ between the strongSwan Charon and Pluto daemons.

h1. Migration from Pluto to Charon

We've tried hard to support most of pluto configurations in charon. But please keep in mind that IKEv1 in charon is a completely new implementation and that it might behave different than IKEv1 in pluto.

h2. Obsolete keywords

The [[IpsecConf|ipsec.conf]] [[ConfigSetupSection|config setup]] section does not support any of the [[ConfigSetupSection#IKEv1-pluto-daemon-only|Pluto specific]] keywords, nor the _plutostart_, _charonstart_ or _crlcache_ keywords. 

NAT-Traversal is always enabled in charon, for both IKEv1 and IKEv2. The IKEv2 _eap_ keywords has been removed.

h2. Deprecated, but still supported keywords

The _authby_ and _xauth_ keywords are still supported, but deprecated. Please migrate your installation to the _leftauth_ / _rightauth_ keywords. XAuth is configured as multiple rounds using _leftauth2_ / _rightauth2_ keywords (i.e. _leftauth=pubkey_, _leftauth2_=xauth). To configure the new Hybrid Mode, define _leftauth=xauth_ and _rightauth=pubkey_.

h2. Perfect Forward Secrecy (PFS)

The _pfs_ option has been removed. IKEv1 now uses the same syntax to define PFS as we use it in IKEv2. To enable PFS, include the Diffie-Hellman group in your ESP proposal, _esp=aes128-sha1-modp2048_.

h2. Smartcards and PKCS#11

IKEv1 can use the same [[SmartCardsIKEv2|PKCS#11 backend]] as IKEv2, all pluto specific PKCS#11 options are obsolete.