[strongSwan] Disable only 3DES?
Troy Telford
ttelford.groups at gmail.com
Mon Oct 4 00:24:22 CEST 2010
I hope this is a quick question:
It seems tedious to have to list each and every combination of allowed
cipher, but exclude DES/3DES by using ike= and esp=.
I realize I could simply limit to, say, AES, by using something like:
ike=aes128-md5-modp1536
esp=aes128-md5-modp1536
but I'd rather remain flexible...
I've tried compiling strongswan with --disable-des, however 'ipsec
listall' still lists DES and 3DES:
000 List of registered IKEv1 Algorithms:
000
000 encryption: BLOWFISH_CBC 3DES_CBC AES_CBC CAMELLIA_CBC
000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_SHA2_384 HMAC_SHA2_512
000 dh-group: MODP_1024 MODP_1536 MODP_2048 MODP_3072 MODP_4096
MODP_6144 MODP_8192 ECP_256 ECP_384 ECP_521 MODP_1024_160 MODP_2048_224
MODP_2048_256 ECP_192 ECP_224
000
000 List of registered ESP Algorithms:
000
000 encryption: DES_CBC 3DES_CBC CAST_CBC BLOWFISH_CBC NULL AES_CBC
AES_CTR AES_CCM_8 AES_CCM_12 AES_CCM_16 AES_GCM_8 AES_GCM_12 AES_GCM_16
CAMELLIA_CBC AES_GMAC SERPENT_CBC TWOFISH_CBC
000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_RIPEMD
AES_XCBC_96 NULL HMAC_SHA2_256_96
List of registered IKEv2 Algorithms:
encryption: AES_CBC CAMELLIA_CBC 3DES_CBC RC5_CBC IDEA_CBC CAST_CBC
BLOWFISH_CBC DES_CBC DES_ECB NULL
integrity: AES_XCBC_96 HMAC_SHA1_96 HMAC_SHA1_128 HMAC_SHA1_160
HMAC_SHA2_256_128 HMAC_MD5_96 HMAC_MD5_128 HMAC_SHA2_384_192
HMAC_SHA2_512_256
hasher: HASH_SHA1 HASH_SHA224 HASH_SHA256 HASH_SHA384 HASH_SHA512
HASH_MD2 HASH_MD4 HASH_MD5
prf: PRF_KEYED_SHA1 PRF_FIPS_SHA1_160 PRF_AES128_XCBC
PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5 PRF_HMAC_SHA2_384
PRF_HMAC_SHA2_512
dh-group: MODP_2048 MODP_2048_224 MODP_2048_256 MODP_1536 ECP_256
ECP_384 ECP_521 ECP_224 ECP_192 MODP_3072 MODP_4096 MODP_6144 MODP_8192
MODP_1024 MODP_1024_160 MODP_768
So am I just reading what's happening wrong, or what?
Thanks,
--
Troy Telford
More information about the Users
mailing list