[strongSwan] Questions on Strongswan

Tobias Brunner tobias at strongswan.org
Wed Apr 18 19:30:35 CEST 2012 

Hi Nagaraj,

> 1: Is a fallback to IKEv1 supported when IKEv2 does not succeed with a
> remote peer ?

As the two protocols are implemented by separate daemons (which do not
communicate with each other) this is currently not supported.

> 2: Is IPSec tunnel mode supported with AH/ESP bundle ?

No.

> 3: What counters are available for IKE besides message counters ?

What exactly do you have in mind?  IKEv1 or IKEV2?

> 4: What alarms/traps are supported for IKE?

Not sure what you mean exactly, but the IKEv2 daemon allows plugins to
register for events on the global message bus (see
src/libcharon/bus/bus.h).  The current IKEv1 daemon pluto is a bit
limited on that account.

> 5: Are the following IKE modes supported ?
>  a) Server side certificate based, client-side pre-shared key based (mixed)

Yes, the IKEv2 daemon does support this (just use the left|rightauth
options appropriately).

> 6: What counters are available for IKE beside message counters ?
> Please list protocol as well as debugging counters

Same question as 3:, still not sure what you mean, could you clarify.

> 7: What mechanisms are available for periodically exporting these counters ?

None.  But you could write a plugin to do something like that (depends
on what counters you mean).

> 8: Which SNMP MIBS are supported ?

None.

> 9: I guess Charon daemon creates policies by itself. If we use the
> mode auto=route then the first outbound IP packet will trigger the
> negotiation of an IPsec SA.
> 
> Here is an example of one of the config files, strongswan.conf which
> Charon uses to install policies
> # /etc/strongswan.conf - strongSwan configuration file
> 
> charon {
>  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
> revocation hmac xcbc stroke kernel-netlink socket-default updown
>  multiple_authentication = no
> }
> 
> However it is not clear to me how various parameters like security
> protocols (AH, ESP) are configured per ip address per port. Please
> explain

You have it wrong.  strongswan.conf is for global options only, at the
moment.  The connection specific configuration is done in ipsec.conf.
strongswan.conf is basically a more easily extendable version of the
"config setup" section in ipsec.conf.  For details, have a look at the
wiki ([1] and [2]) or the respective man pages.

> 10: Is there support for address/port groups as part of the IPSec policy ?

What do you mean by "address/port groups"?  Do you think of ranges like
192.168.1.5-192.168.1.10 and 1024-1100?  If so, then no, that's
currently not supported.  But the IKEv2 daemon does support multiple
subnets for left|rightsubnet (separated by commas).

Regards,
Tobias

[1] http://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf
[2] http://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf

More information about the Users mailing list