[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-announce
Subject: Re: [strongSwan-dev] Please advise which is the best option and a way forward
From: Noel Kuntze <noel.kuntze+strongswan-dev-ml () thermi ! consulting>
Date: 2022-10-07 21:14:00
Message-ID: 96850ec6-7382-c907-3b1a-018d7e167e93 () thermi ! consulting
[Download RAW message or body]
Hi Hilly,
Some things.
GMAC is a MAC, not a cipher. AES-256 in the description means AES-CBC-256. The \
keyword for that is just "aes256". Whether SHA256-128 or SHA256-96 depends on the \
other peer. the -96 version is the non-standardized one. Ask staff operating the \
other peer for details what they use. You're more constrained by what the kernel \
you're using can do because it's processing the traffic (using the negotiated esp \
proposal).
The proposal your client asked for is ...
ike=aes256-sha256-ecp256!
esp=aes256-sha256!
You can of course ask them to use AES-GCM and AES-XCBC.
Kind regards
Noel
On 07.10.22 10:04, Hilly B wrote:
> Hi Developers,
>
> We are running on Centos 7 and we have installed strongswan-5.7.2-1.el7.x86_64 \
> already installed and the latest version.
> Our client will allow us to connect to them using:
> Phase 1:
> Authentication Method !! Pre-Shared Secret, to be exchanged over the phone (SMS) \
> only Encryption Schema IKEv2
> Diffie-Hellman Group- IKE DH Group-19
> Encryption Algorithm AES-256
> Hashing Algorithm SHA-256
> PRF SHA-256
> Renegotiate IKE SA every 86400 seconds
>
> Phase 2:
> IPSec IPSec
> Encryption Algorithm IPSec AES-256
> Hashing Algorithm IPSec SHA-256
> Renegotiate IPSec SA every 28800 seconds
> PFS No PFS
> Mode Main Mode
>
> I've been through the documentation from \
> https://wiki.strongswan.org/projects/1/wiki/IKEv2CipherSuites \
> <https://wiki.strongswan.org/projects/1/wiki/IKEv2CipherSuites> and since we \
> don't have Strong Swan 5.8.x we are limited in what we can use; _Option 1:_ We \
> have asked the client if we can use these alternate protocols that are supported \
> with Strongswan 5.7. For Phase 1:
> Instead of DH Group-19 use DH Group 18
> Instead of AES-256 use aes256gmac
> Instead of SHA-256 use sha256_96
> For PRF instead of SHA-256 use AES XCBC
>
> For Phase 2: IPsec
> Instead of AES-256 use aes256gmac
> Instead of SHA-256 use sha256_96
>
> Question 1:
> However it's not clear in the documentation \
> https://wiki.strongswan.org/projects/1/wiki/IKEv2CipherSuites \
> <https://wiki.strongswan.org/projects/1/wiki/IKEv2CipherSuites>. For IPsec and \
> StrongSwan 5.7 can you use aes256gmac instead of AES-256 and sha256_96 instead of \
> SHA-256?
> Question 2:
> If this is possible with StrongSwan 5.7 how do you implement aes256gmac
> IPSec Encryption Algorithm and sha256_96 IPSec Hashing Algorithm? Or are there \
> alternate options supported by StrongSwan 5.7?
> _Option 2:_
> Build Strongswan 5.8.x on Centos 7
> However from this post it seems its may not work \
> https://wiki.strongswan.org/issues/3229 <https://wiki.strongswan.org/issues/3229>
> Question3:
> Has anyone successfully built Strongswan 5.8.x or later on Centos 7 and if so would \
> they be so kind as to share their instructions on how to do it?
> Thanks for any assistance.
>
>
--
Noel Kuntze
IT security consultant
GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic