[strongSwan] Limiting the cipher suites in remote peer proposal

Alexander Lyakas alex.bolshoy at gmail.com
Thu Mar 8 17:58:32 CET 2012


Andreas,
I was not aware of the "strict" flag at all. man ipsec.conf has no
info on that.
Looking at the code, it looks exactly what I need. I will verify further.

Thanks!
Alex.



On Thu, Mar 8, 2012 at 4:29 PM, Andreas Steffen
<andreas.steffen at strongswan.org> wrote:
> Hello Alex,
>
> are you using the ike and esp directives with the '!' strict flag?
>
>  ike=aes128-sha256-ecp256,3des-sha1-modp1024!
>  esp=aes128-sha256,3des-sha1!
>
> Regards
>
> Andreas
>
> On 08.03.2012 14:26, Alexander Lyakas wrote:
>> Greetings everybody,
>> I am trying see how strongswan can accept only particular cipher
>> suites proposed by remote peer. The esp= and ike= parameters in
>> ipsec.conf are used
>> for outgoing proposal only.
>>
>> I did some digging in strongswan 4.5.0 code.
>>
>> It looks like the peer proposal for IKEv1 is checked against
>> ike_alg_base[] (in ike_alg.c), and this array is filled according to
>> the plugins loaded by strongswan, and also according to some
>> hard-coded switch{} in init_crypto(), which skips some of the loaded
>> plugins. So for IKE, I guess, I can just control the loaded plugins.
>>
>> For IPSec however, I see that esp_aalg[] and esp_ealg[] arrays are
>> populated after querying the kernel what is supports. The incoming
>> proposal checks that algorithms are present in those maps only. So
>> there looks to be no parameter to control the incoming proposal beyond
>> that.
>>
>> Is my understanding correct? Is there a way to solve this?
>>
>> Thanks!
>> Alex.
>>
>> BTW, the outgoing proposal is, in addition, checked against the
>> encr_map[] and auth_map[] via
>> [esp|oakley]_from_[encryption|integrity]_algorithm() functions. So
>> these two maps must be hard-coded consistently with the loaded plugins
>> (for oakley) and with what kernel reports (for ESP). Is this an
>> intended approach? In the code I am looking at (4.5.0), they seem
>> consistent.
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>




More information about the Users mailing list