[strongSwan-dev] Please advise which is the best option and a way forward

Hilly B hzbilman at gmail.com
Fri Oct 7 10:04:55 CEST 2022 

Hi Developers,

We are running on Centos 7 and we have
installed strongswan-5.7.2-1.el7.x86_64 already installed and the latest
version.

Our client will allow us to connect to them using:
Phase 1:

Authentication Method !! Pre-Shared Secret, to be exchanged over the phone
(SMS) only
Encryption Schema IKEv2
Diffie-Hellman Group- IKE DH Group-19
Encryption Algorithm AES-256
Hashing Algorithm SHA-256
PRF SHA-256
Renegotiate IKE SA every 86400 seconds

Phase 2:

IPSec IPSec
Encryption Algorithm IPSec AES-256
Hashing Algorithm IPSec SHA-256
Renegotiate IPSec SA every 28800 seconds
PFS No PFS
Mode Main Mode

I've been through the documentation from
https://wiki.strongswan.org/projects/1/wiki/IKEv2CipherSuites  and since we
don't have Strong Swan 5.8.x we are limited in what we can use;
*Option 1:*  We have asked the client if we can use these alternate
protocols that are supported with Strongswan 5.7.
For Phase 1:
Instead of DH Group-19   use DH Group 18
Instead of AES-256 use aes256gmac
Instead of SHA-256 use sha256_96
For PRF instead of SHA-256 use AES XCBC

For Phase 2: IPsec
Instead of AES-256 use aes256gmac
Instead of SHA-256 use sha256_96

Question 1:
However it's not clear in the documentation
https://wiki.strongswan.org/projects/1/wiki/IKEv2CipherSuites. For IPsec
and StrongSwan 5.7 can you use aes256gmac instead of AES-256 and sha256_96
instead of SHA-256?

Question 2:
If this is possible with StrongSwan 5.7 how do you implement aes256gmac
IPSec Encryption Algorithm and sha256_96 IPSec Hashing Algorithm? Or are
there alternate options supported by StrongSwan 5.7?

*Option 2:*
Build Strongswan 5.8.x on Centos 7
However from this post it seems its may not work
https://wiki.strongswan.org/issues/3229

Question3:
Has anyone successfully built Strongswan 5.8.x or later on Centos 7 and if
so would they be so kind as to share their instructions on how to do it?

Thanks for any assistance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20221007/0dff5c45/attachment.html>

More information about the Dev mailing list