[strongSwan-dev] Strongswan: ESP encryption priority is different in IKEv1 and IKEv2

Andreas Steffen andreas.steffen at strongswan.org
Wed Jul 24 08:03:33 CEST 2013


Hi Jegathesh,

the reason is that there are two separate daemons running with
strongSwan 4.5.3, namely the legacy IKEv1 pluto daemon going back
to the FreeS/WAN project which originally had only 3DES built in
and AES was added as a patch some years later on, and the new IKEv2
charon daemon where usually the responder accepts the first suitable
cipher the initiator proposes. Thus the cipher selection strategies of
the two daemons are different due to historical reasons.

If you want consistent behaviour between IKEv1 and IKEv2, just upgrade
to strongSwan 5.0.4 where a single charon daemon is responsible for both
protocols.

Regards

Andreas

On 07/23/2013 04:17 PM, jegathesh malaiyappan wrote:
> Hi All,
> 
>  
> 
> Strongswan: 4.5.3
> 
>  
> 
> Strongswan is selecting the different ESP encryption priority for
> *IKEv1* and *IKEv2. *
> 
>  
> 
> Wha is the reason for this?
> 
> 
> Node A: (Initiator)
> 
> =======
> 
> conn conn1
> 
>   type=tunnel
> 
>   ike=aes128-sha1-modp1024,3des-sha1-modp1024!
> 
>   esp=aes128-sha1, 3des-sha1!
> 
>  
> 
> Node B: (Responder)
> 
> =======
> 
> conn conn1
> 
>   type=tunnel
> 
>   ike=aes128-sha1-modp1024,3des-sha1-modp1024!
> 
>   esp=3des-sha1,aes128-sha1!
> 
>  
> 
> <snip> IKEv1 O/P
> 
> ip x s
> 
> src 10.10.10.11 dst 10.10.10.10
> 
>         proto esp spi 0xc39d392e reqid 16384 mode tunnel
> 
>         replay-window 0 flag nopmtudisc 20
> 
>         auth hmac(sha1) 0xd64a2161bbcb15cc8214e92a7e741ee7f6a42354
> 
>         enc cbc(*des3_ede*)
> 0x49ef278b1f67549994c7d249a116a30214d30cee8970bdd9
> 
> src 10.10.10.10 dst 10.10.10.11
> 
>         proto esp spi 0xc8ea85c3 reqid 16384 mode tunnel
> 
>         replay-window 0 flag nopmtudisc 20
> 
>         auth hmac(sha1) 0x08c788a2d2ce7a589eff32d9247e83a6ebd51c68
> 
>         enc cbc(*des3_ede*)
> 0xc8114a2f0b28fe1f38a452798a63c786ba3fa909d5426e95
> 
> </snip>
> 
>  
> 
> *IKEv1*: Strongswan is selecting the *3DES* encryption method.
> 
> *IKEv2*: Strongswan is selecting the *AES* encryption method.
> 
>  
> 
> Could anyone clarify me the reason different encryption method chosen
> for *IKEv1* and *IKEv2*?
> 
>  
> 
> Thanks.
> 
>  
> 
> Regards,
> 
> Jegathesh.M
> 
>  
> 
> 
> 
> _______________________________________________
> Dev mailing list
> Dev at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/dev
> 


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20130724/22415e23/attachment.bin>


More information about the Dev mailing list