[strongSwan] Disable only 3DES?

Andreas Steffen andreas.steffen at strongswan.org
Mon Oct 4 05:57:14 CEST 2010


Hi Troy,

--disable-des disables the des plugin but the 3DES is still provided
by either the openssl or gcrypt plugins which you seem to have enabled.
You can generate all combinations of encryption, integrity and key
exchange algorithms in the following way:

  ike=aes128-aes256-sha1-sha2-md5-modp1536-modp2048-modp1024!

This gives you 27 cipher suites which is already quite flexible.

Regards

Andreas

On 10/04/2010 12:24 AM, Troy Telford wrote:
> I hope this is a quick question:
> 
> It seems tedious to have to list each and every combination of allowed 
> cipher, but exclude DES/3DES by using ike= and esp=.
> 
> I realize I could simply limit to, say, AES, by using something like:
> ike=aes128-md5-modp1536
> esp=aes128-md5-modp1536
> 
> but I'd rather remain flexible...
> 
> I've tried compiling strongswan with --disable-des, however 'ipsec 
> listall' still lists DES and 3DES:
> 
> 000 List of registered IKEv1 Algorithms:
> 000
> 000   encryption: BLOWFISH_CBC 3DES_CBC AES_CBC CAMELLIA_CBC
> 000   integrity:  HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_SHA2_384 HMAC_SHA2_512
> 000   dh-group:   MODP_1024 MODP_1536 MODP_2048 MODP_3072 MODP_4096 
> MODP_6144 MODP_8192 ECP_256 ECP_384 ECP_521 MODP_1024_160 MODP_2048_224 
> MODP_2048_256 ECP_192 ECP_224
> 000
> 000 List of registered ESP Algorithms:
> 000
> 000   encryption: DES_CBC 3DES_CBC CAST_CBC BLOWFISH_CBC NULL AES_CBC 
> AES_CTR AES_CCM_8 AES_CCM_12 AES_CCM_16 AES_GCM_8 AES_GCM_12 AES_GCM_16 
> CAMELLIA_CBC AES_GMAC SERPENT_CBC TWOFISH_CBC
> 000   integrity:  HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_RIPEMD 
> AES_XCBC_96 NULL HMAC_SHA2_256_96
> List of registered IKEv2 Algorithms:
> 
>   encryption: AES_CBC CAMELLIA_CBC 3DES_CBC RC5_CBC IDEA_CBC CAST_CBC 
> BLOWFISH_CBC DES_CBC DES_ECB NULL
>   integrity:  AES_XCBC_96 HMAC_SHA1_96 HMAC_SHA1_128 HMAC_SHA1_160 
> HMAC_SHA2_256_128 HMAC_MD5_96 HMAC_MD5_128 HMAC_SHA2_384_192 
> HMAC_SHA2_512_256
>   hasher:     HASH_SHA1 HASH_SHA224 HASH_SHA256 HASH_SHA384 HASH_SHA512 
> HASH_MD2 HASH_MD4 HASH_MD5
>   prf:        PRF_KEYED_SHA1 PRF_FIPS_SHA1_160 PRF_AES128_XCBC 
> PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5 PRF_HMAC_SHA2_384 
> PRF_HMAC_SHA2_512
>   dh-group:   MODP_2048 MODP_2048_224 MODP_2048_256 MODP_1536 ECP_256 
> ECP_384 ECP_521 ECP_224 ECP_192 MODP_3072 MODP_4096 MODP_6144 MODP_8192 
> MODP_1024 MODP_1024_160 MODP_768
> 
> So am I just reading what's happening wrong, or what?
> 
> Thanks,


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list