[strongSwan] does strongswan support ECDH for IKEv1?
songling at juniper.net
Tue Apr 27 09:47:59 CEST 2010
Does anyone know how to turn on ECDH groups for IKEv1 negotiation in Strongswan? Here is what I did for my test and it didn't work.
1/ Download latest strongswan tarball v4.3.6.
2/ Install strongswan.
3/ Configure p1 proposal with ecdh group for strongswan conn.
4/ Initiate peer connection with DH group 19. I got the following error from strongswan log.
*****parsse ISAKMP oakley attribute:
[19 is ECP_256]
"ssg20" #1: ECP_256 is not supported.
"ssg20" #1: no acceptable oakley transform
"ssg20" #1: sending notification NO_PROPOSAL_CHOSE to 10.158.30.23:500
5/ Here is what I got from "sudo ipsec listalgs". I don't see ECC groups being listed.
test:~/strongswan-4.3.6$ sudo ipsec version
Linux strongSwan U4.3.6/K2.6.15-27-386
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
test:~/strongswan-4.3.6$ sudo ipsec listalgs
000 List of registered IKEv1 Algorithms:
000 encryption: 3DES_CBC AES_CBC
000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_SHA2_384 HMAC_SHA2_512
000 dh-group: MODP_1024 MODP_1536 MODP_2048 MODP_3072 MODP_4096 MODP_6144 MODP_8192
000 List of registered ESP Algorithms:
000 encryption: DES_CBC 3DES_CBC BLOWFISH_CBC NULL AES_CBC AES_CCM_8 AES_CCM_12 AES_CCM_16 AES_GCM_8 AES_GCM_12 AES_GCM_16 SERPENT_CBC TWOFISH_CBC
000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 NULL HMAC_SHA2_256_96
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users