[strongSwan] does strongswan support ECDH for IKEv1?
Songling Yang
songling at juniper.net
Tue Apr 27 09:47:59 CEST 2010
Hi all,
Does anyone know how to turn on ECDH groups for IKEv1 negotiation in Strongswan? Here is what I did for my test and it didn't work.
1/ Download latest strongswan tarball v4.3.6.
2/ Install strongswan.
./configure -enable-openssl
make
make install
3/ Configure p1 proposal with ecdh group for strongswan conn.
ike=3des-sha1-ecp256
4/ Initiate peer connection with DH group 19. I got the following error from strongswan log.
*****parsse ISAKMP oakley attribute:
af+type: OAKLEY_GROUP_DESCRIPTION
length/value: 19
[19 is ECP_256]
"ssg20" #1: ECP_256 is not supported.
"ssg20" #1: no acceptable oakley transform
"ssg20" #1: sending notification NO_PROPOSAL_CHOSE to 10.158.30.23:500
5/ Here is what I got from "sudo ipsec listalgs". I don't see ECC groups being listed.
test:~/strongswan-4.3.6$ sudo ipsec version
Linux strongSwan U4.3.6/K2.6.15-27-386
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
test:~/strongswan-4.3.6$ sudo ipsec listalgs
000
000 List of registered IKEv1 Algorithms:
000
000 encryption: 3DES_CBC AES_CBC
000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_SHA2_384 HMAC_SHA2_512
000 dh-group: MODP_1024 MODP_1536 MODP_2048 MODP_3072 MODP_4096 MODP_6144 MODP_8192
000
000 List of registered ESP Algorithms:
000
000 encryption: DES_CBC 3DES_CBC BLOWFISH_CBC NULL AES_CBC AES_CCM_8 AES_CCM_12 AES_CCM_16 AES_GCM_8 AES_GCM_12 AES_GCM_16 SERPENT_CBC TWOFISH_CBC
000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 NULL HMAC_SHA2_256_96
Thanks.
Songling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100427/5d41b7ce/attachment.html>
More information about the Users
mailing list