<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On Oct 3, 2010, at 9:57 PM, Andreas Steffen wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>Hi Troy,<br><br>--disable-des disables the des plugin but the 3DES is still provided<br>by either the openssl or gcrypt plugins which you seem to have enabled.<br>You can generate all combinations of encryption, integrity and key<br>exchange algorithms in the following way:<br><br> ike=aes128-aes256-sha1-sha2-md5-modp1536-modp2048-modp1024!<br></div></blockquote><div><br></div><div>I noticed that syntax in the ipsec.conf man page; however it doesn't appear to work for either pluto or charon:</div><div><br></div><div>I'm getting the following for each conn entry (from pluto):</div><div><div>Oct 3 23:24:26 pilot pluto[13470]: added connection description "rw"</div><div>Oct 3 23:24:26 pilot pluto[13470]: syntax error in ike string</div><div><br></div></div><div>And something similar from charon:</div><div><div>Oct 3 23:20:25 pilot charon: 00[DMN] loaded plugins: curl ldap aes sha1 sha2 random x509 pubkey pkcs1 pgp dnskey pem sqlite openssl fips-prf xcbc hmac agent gmp attr attr-sql resolve kernel-netlink socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp </div><div>Oct 3 23:20:25 pilot charon: 00[JOB] spawning 16 worker threads </div><div>Oct 3 23:20:25 pilot charon: 03[CFG] crl caching to /etc/ipsec.d/crls enabled </div><div>Oct 3 23:20:25 pilot charon: 03[CFG] received stroke: add connection 'rw' </div><div>Oct 3 23:20:25 pilot charon: 03[CFG] skipped invalid proposal string: aes128-aes256-sha1-sha2-modp1536-modp2048-modp1024 </div><div>Oct 3 23:20:25 pilot charon: 03[CFG] loaded certificate "C=US, ST=<blah>"</div></div><div><br></div><div>I've dug into the Debian package, and here's what I've found:</div><div>* One patch to the init script for debian: "Fixed init script for restart to work when either pluto or charon</div><div> are not installed."</div><div><br></div><div>* ./configure options of:</div><div><div>CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \</div><div> --libexecdir=/usr/lib \</div><div> --enable-ldap --enable-curl \</div><div> --with-capabilities=libcap \</div><div> --enable-smartcard \</div><div> --with-default-pkcs11=/usr/lib/opensc-pkcs11.so \</div><div> --enable-mediation --enable-medsrv --enable-medcli \</div><div> --enable-openssl --enable-agent \</div><div> --enable-eap-radius --enable-eap-identity --enable-eap-md5 \</div><div> --enable-eap-gtc --enable-eap-aka --enable-eap-mschapv2 \</div><div> --enable-sql --enable-integrity-test \</div><div> --enable-nat-transport --enable-sqlite \</div><div> --enable-nm --enable-ha --enable-dhcp --enable-farp \</div><div> --enable-test-vectors</div><div><br></div><div>(I personally added --enable-sqlite and --enable-nat-transport; --enable-nat-transport was enabled because I have to have L2TP, and L2TP won't work in either transport or tunnel mode unless --enable-nat-transport is used.)</div></div><br><blockquote type="cite"><div><br>On 10/04/2010 12:24 AM, Troy Telford wrote:<br><blockquote type="cite">I hope this is a quick question:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">It seems tedious to have to list each and every combination of allowed <br></blockquote><blockquote type="cite">cipher, but exclude DES/3DES by using ike= and esp=.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I realize I could simply limit to, say, AES, by using something like:<br></blockquote><blockquote type="cite">ike=aes128-md5-modp1536<br></blockquote><blockquote type="cite">esp=aes128-md5-modp1536<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">but I'd rather remain flexible...<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I've tried compiling strongswan with --disable-des, however 'ipsec <br></blockquote><blockquote type="cite">listall' still lists DES and 3DES:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">000 List of registered IKEv1 Algorithms:<br></blockquote><blockquote type="cite">000<br></blockquote><blockquote type="cite">000 encryption: BLOWFISH_CBC 3DES_CBC AES_CBC CAMELLIA_CBC<br></blockquote><blockquote type="cite">000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_SHA2_384 HMAC_SHA2_512<br></blockquote><blockquote type="cite">000 dh-group: MODP_1024 MODP_1536 MODP_2048 MODP_3072 MODP_4096 <br></blockquote><blockquote type="cite">MODP_6144 MODP_8192 ECP_256 ECP_384 ECP_521 MODP_1024_160 MODP_2048_224 <br></blockquote><blockquote type="cite">MODP_2048_256 ECP_192 ECP_224<br></blockquote><blockquote type="cite">000<br></blockquote><blockquote type="cite">000 List of registered ESP Algorithms:<br></blockquote><blockquote type="cite">000<br></blockquote><blockquote type="cite">000 encryption: DES_CBC 3DES_CBC CAST_CBC BLOWFISH_CBC NULL AES_CBC <br></blockquote><blockquote type="cite">AES_CTR AES_CCM_8 AES_CCM_12 AES_CCM_16 AES_GCM_8 AES_GCM_12 AES_GCM_16 <br></blockquote><blockquote type="cite">CAMELLIA_CBC AES_GMAC SERPENT_CBC TWOFISH_CBC<br></blockquote><blockquote type="cite">000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_RIPEMD <br></blockquote><blockquote type="cite">AES_XCBC_96 NULL HMAC_SHA2_256_96<br></blockquote><blockquote type="cite">List of registered IKEv2 Algorithms:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"> encryption: AES_CBC CAMELLIA_CBC 3DES_CBC RC5_CBC IDEA_CBC CAST_CBC <br></blockquote><blockquote type="cite">BLOWFISH_CBC DES_CBC DES_ECB NULL<br></blockquote><blockquote type="cite"> integrity: AES_XCBC_96 HMAC_SHA1_96 HMAC_SHA1_128 HMAC_SHA1_160 <br></blockquote><blockquote type="cite">HMAC_SHA2_256_128 HMAC_MD5_96 HMAC_MD5_128 HMAC_SHA2_384_192 <br></blockquote><blockquote type="cite">HMAC_SHA2_512_256<br></blockquote><blockquote type="cite"> hasher: HASH_SHA1 HASH_SHA224 HASH_SHA256 HASH_SHA384 HASH_SHA512 <br></blockquote><blockquote type="cite">HASH_MD2 HASH_MD4 HASH_MD5<br></blockquote><blockquote type="cite"> prf: PRF_KEYED_SHA1 PRF_FIPS_SHA1_160 PRF_AES128_XCBC <br></blockquote><blockquote type="cite">PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5 PRF_HMAC_SHA2_384 <br></blockquote><blockquote type="cite">PRF_HMAC_SHA2_512<br></blockquote><blockquote type="cite"> dh-group: MODP_2048 MODP_2048_224 MODP_2048_256 MODP_1536 ECP_256 <br></blockquote><blockquote type="cite">ECP_384 ECP_521 ECP_224 ECP_192 MODP_3072 MODP_4096 MODP_6144 MODP_8192 <br></blockquote><blockquote type="cite">MODP_1024 MODP_1024_160 MODP_768<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">So am I just reading what's happening wrong, or what?<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Thanks,<br></blockquote><br><br>-- <br>======================================================================<br>Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>strongSwan - the Linux VPN Solution! <a href="http://www.strongswan.org">www.strongswan.org</a><br>Institute for Internet Technologies and Applications<br>University of Applied Sciences Rapperswil<br>CH-8640 Rapperswil (Switzerland)<br>===========================================================[ITA-HSR]==<br></div></blockquote></div><br><div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-family: Helvetica; "><div>--</div><div>Troy Telford</div><div><a href="mailto:ttelford.groups@gmail.com">ttelford.groups@gmail.com</a></div></div>
</div>
<br></body></html>