[Swan-dev] defaults for ike= and esp= need updating?
andrew.cagney at gmail.com
Fri Dec 9 22:06:52 UTC 2016
On 9 December 2016 at 11:06, Paul Wouters <paul at nohats.ca> wrote:
> On Fri, 9 Dec 2016, Andrew Cagney wrote:
> Can this behaviour be tuned for IKEv1 or IKEv2? I would like IKEv2 to
>> not have 1536/1024. And I would like IKEv1 to not have 1024.
>> I think so. The ike_alg structures contain this information, we just
>> need to take the bit between our teeth and
>> use it.
The code seems to work for DH (i.e., IKE) so I'll start pushing it out.
However, ESP and INTEG/ENCRYPT had a hiccup:
One technical nit. This makes the ESP/AH parser code dependent on ike_alg
>> (the IKE code, via plutoalg.c) is
>> already). That in turn breaks the, unmaintained and probably already
>> broken, testing/lib/libswan/algparse.c.
>> Fixing means moving the deck chairs ike_alg*.[hc] and crypt_*.[hc] to
>> libswan.a, I think I'll hold off :-)
programs/spi uses the ESP parser and so this may force ike_alg*. I'll
think about it a little.
We only get around this now because the ESP= parser doesn't handle DH.
> Kill it - we have test cases for all algorithms, and if we want to test
> failing connections (eg invalid config lines) we can use a real pluto
> test case and try to load those conns to see if these are failing.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Swan-dev