[strongSwan-dev] Configuration problem for ikev2

Andreas Steffen andreas.steffen at strongswan.org
Tue Jun 29 11:58:25 CEST 2010 

On 29.06.2010 11:12, wei.you at orange-ftgroup.com wrote:
> Hello,
> 
>  
> 
> We are engineers of the Orange Labs, and now we are doing some test for
> the ikev2 in the Strongswan environment, we aim to configure the ipsec like:
> 
>  
> 
> DH = 1536-bit MODP Group
> PRF = PRF_HMAC_SHA1
> ID = ID_KEY_ID
> AUTH = RSA Digital Signature
> ESP_ENCR = ENCR_AES_CBC or NULL
> ESP_AUTH = AUTH_HMAC_SHA1_96 or NULL
> 
>  
> 
> We now arrived to configure the ipsec.conf with these parameters like:
> 
> -- conn <>
>                 auth = esp
>                 authby = rsasig
>                 ike = modp1536
>                 keyexchange = ikev2
>                 esp = aes128|aes192|aes256|null (for encryption)
>                 esp = sha1|sha (for authentication )
>
the correct notation is

ike=aes128-aes192-aes256-sha1-modp1536!
esp=aes128-aes129-aes256-null-sha1!

- Defining sha1 in ike selects the PRF_HMAC_SHA1
- NULL ESP authentication is not supported whereas
  NULL ESP encryption is.
- An ID_KEY_ID is defined in HEX format as follows:
  leftid=@#d3ab780f2ced

  even if it is a human readable ASCII string.

> But we still have some problem following:
> 
> 1, for the ESP_ENCRE and the ESP_AUTH, how can we put the both values
> “aes128”(for ESP_ENCRE) and the “sha1”(for ESP_AUTH) to the single “esp”
> parameter in the ipsec.conf?
> 
> 2, we didn’t find the right parameters for the “PRF” and the “ID”, so do
> you have any idea that how we can configure these parameters? Or is
> there any document where we can find out some complete description of
> the configuration?
> 
>  
> 
> Thank you
> 
>  
> 
> Orange Labs
> 
> Equip MAPS/STT

Regards

Andreas

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20100629/cdd508b0/attachment.bin>

More information about the Dev mailing list