[strongSwan] Limiting the cipher suites in remote peer proposal

Andreas Steffen andreas.steffen at strongswan.org
Thu Mar 8 15:29:48 CET 2012 

Hello Alex,

are you using the ike and esp directives with the '!' strict flag?

  ike=aes128-sha256-ecp256,3des-sha1-modp1024!
  esp=aes128-sha256,3des-sha1!

Regards

Andreas

On 08.03.2012 14:26, Alexander Lyakas wrote:
> Greetings everybody,
> I am trying see how strongswan can accept only particular cipher
> suites proposed by remote peer. The esp= and ike= parameters in
> ipsec.conf are used
> for outgoing proposal only.
> 
> I did some digging in strongswan 4.5.0 code.
> 
> It looks like the peer proposal for IKEv1 is checked against
> ike_alg_base[] (in ike_alg.c), and this array is filled according to
> the plugins loaded by strongswan, and also according to some
> hard-coded switch{} in init_crypto(), which skips some of the loaded
> plugins. So for IKE, I guess, I can just control the loaded plugins.
> 
> For IPSec however, I see that esp_aalg[] and esp_ealg[] arrays are
> populated after querying the kernel what is supports. The incoming
> proposal checks that algorithms are present in those maps only. So
> there looks to be no parameter to control the incoming proposal beyond
> that.
> 
> Is my understanding correct? Is there a way to solve this?
> 
> Thanks!
> Alex.
> 
> BTW, the outgoing proposal is, in addition, checked against the
> encr_map[] and auth_map[] via
> [esp|oakley]_from_[encryption|integrity]_algorithm() functions. So
> these two maps must be hard-coded consistently with the loaded plugins
> (for oakley) and with what kernel reports (for ESP). Is this an
> intended approach? In the code I am looking at (4.5.0), they seem
> consistent.

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4489 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120308/3ec6ea2c/attachment.bin>

More information about the Users mailing list