[strongSwan] Disable only 3DES?

Troy Telford ttelford.groups at gmail.com
Mon Oct 4 07:34:13 CEST 2010 

On Oct 3, 2010, at 9:57 PM, Andreas Steffen wrote:

> Hi Troy,
> 
> --disable-des disables the des plugin but the 3DES is still provided
> by either the openssl or gcrypt plugins which you seem to have enabled.
> You can generate all combinations of encryption, integrity and key
> exchange algorithms in the following way:
> 
>  ike=aes128-aes256-sha1-sha2-md5-modp1536-modp2048-modp1024!

I noticed that syntax in the ipsec.conf man page; however it doesn't appear to work for either pluto or charon:

I'm getting the following for each conn entry (from pluto):
Oct  3 23:24:26 pilot pluto[13470]: added connection description "rw"
Oct  3 23:24:26 pilot pluto[13470]: syntax error in ike string

And something similar from charon:
Oct  3 23:20:25 pilot charon: 00[DMN] loaded plugins: curl ldap aes sha1 sha2 random x509 pubkey pkcs1 pgp dnskey pem sqlite openssl fips-prf xcbc hmac agent gmp attr attr-sql resolve kernel-netlink socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp  
Oct  3 23:20:25 pilot charon: 00[JOB] spawning 16 worker threads 
Oct  3 23:20:25 pilot charon: 03[CFG] crl caching to /etc/ipsec.d/crls enabled 
Oct  3 23:20:25 pilot charon: 03[CFG] received stroke: add connection 'rw' 
Oct  3 23:20:25 pilot charon: 03[CFG] skipped invalid proposal string: aes128-aes256-sha1-sha2-modp1536-modp2048-modp1024 
Oct  3 23:20:25 pilot charon: 03[CFG]   loaded certificate "C=US, ST=<blah>"

I've dug into the Debian package, and here's what I've found:
* One patch to the init script for debian:  "Fixed init script for restart to work when either pluto or charon
     are not installed."

* ./configure options of:
CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
        --libexecdir=/usr/lib \
        --enable-ldap --enable-curl \
        --with-capabilities=libcap \
        --enable-smartcard \
        --with-default-pkcs11=/usr/lib/opensc-pkcs11.so \
        --enable-mediation --enable-medsrv --enable-medcli \
        --enable-openssl --enable-agent \
        --enable-eap-radius --enable-eap-identity --enable-eap-md5 \
        --enable-eap-gtc --enable-eap-aka --enable-eap-mschapv2 \
        --enable-sql --enable-integrity-test \
        --enable-nat-transport --enable-sqlite \
        --enable-nm --enable-ha --enable-dhcp --enable-farp \
        --enable-test-vectors

(I personally added --enable-sqlite and --enable-nat-transport; --enable-nat-transport was enabled because I have to have L2TP, and L2TP won't work in either transport or tunnel mode unless --enable-nat-transport is used.)

> 
> On 10/04/2010 12:24 AM, Troy Telford wrote:
>> I hope this is a quick question:
>> 
>> It seems tedious to have to list each and every combination of allowed 
>> cipher, but exclude DES/3DES by using ike= and esp=.
>> 
>> I realize I could simply limit to, say, AES, by using something like:
>> ike=aes128-md5-modp1536
>> esp=aes128-md5-modp1536
>> 
>> but I'd rather remain flexible...
>> 
>> I've tried compiling strongswan with --disable-des, however 'ipsec 
>> listall' still lists DES and 3DES:
>> 
>> 000 List of registered IKEv1 Algorithms:
>> 000
>> 000   encryption: BLOWFISH_CBC 3DES_CBC AES_CBC CAMELLIA_CBC
>> 000   integrity:  HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_SHA2_384 HMAC_SHA2_512
>> 000   dh-group:   MODP_1024 MODP_1536 MODP_2048 MODP_3072 MODP_4096 
>> MODP_6144 MODP_8192 ECP_256 ECP_384 ECP_521 MODP_1024_160 MODP_2048_224 
>> MODP_2048_256 ECP_192 ECP_224
>> 000
>> 000 List of registered ESP Algorithms:
>> 000
>> 000   encryption: DES_CBC 3DES_CBC CAST_CBC BLOWFISH_CBC NULL AES_CBC 
>> AES_CTR AES_CCM_8 AES_CCM_12 AES_CCM_16 AES_GCM_8 AES_GCM_12 AES_GCM_16 
>> CAMELLIA_CBC AES_GMAC SERPENT_CBC TWOFISH_CBC
>> 000   integrity:  HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_RIPEMD 
>> AES_XCBC_96 NULL HMAC_SHA2_256_96
>> List of registered IKEv2 Algorithms:
>> 
>>  encryption: AES_CBC CAMELLIA_CBC 3DES_CBC RC5_CBC IDEA_CBC CAST_CBC 
>> BLOWFISH_CBC DES_CBC DES_ECB NULL
>>  integrity:  AES_XCBC_96 HMAC_SHA1_96 HMAC_SHA1_128 HMAC_SHA1_160 
>> HMAC_SHA2_256_128 HMAC_MD5_96 HMAC_MD5_128 HMAC_SHA2_384_192 
>> HMAC_SHA2_512_256
>>  hasher:     HASH_SHA1 HASH_SHA224 HASH_SHA256 HASH_SHA384 HASH_SHA512 
>> HASH_MD2 HASH_MD4 HASH_MD5
>>  prf:        PRF_KEYED_SHA1 PRF_FIPS_SHA1_160 PRF_AES128_XCBC 
>> PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5 PRF_HMAC_SHA2_384 
>> PRF_HMAC_SHA2_512
>>  dh-group:   MODP_2048 MODP_2048_224 MODP_2048_256 MODP_1536 ECP_256 
>> ECP_384 ECP_521 ECP_224 ECP_192 MODP_3072 MODP_4096 MODP_6144 MODP_8192 
>> MODP_1024 MODP_1024_160 MODP_768
>> 
>> So am I just reading what's happening wrong, or what?
>> 
>> Thanks,
> 
> 
> -- 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==

--
Troy Telford
ttelford.groups at gmail.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101003/124786bb/attachment.html>

More information about the Users mailing list