[Swan-dev] defaults for ike= and esp= need updating?

Andrew Cagney andrew.cagney at gmail.com
Fri Dec 9 22:06:52 UTC 2016

On 9 December 2016 at 11:06, Paul Wouters <paul at nohats.ca> wrote:

> On Fri, 9 Dec 2016, Andrew Cagney wrote:
>       Can this behaviour be tuned for IKEv1 or IKEv2? I would like IKEv2 to
>>       not have 1536/1024. And I would like IKEv1 to not have 1024.
>> I think so.  The ike_alg structures contain this information, we just
>> need to take the bit between our teeth and
>> use it.
> Ok.
The code seems to work for DH (i.e., IKE) so I'll start pushing it out.

However, ESP and INTEG/ENCRYPT had a hiccup:

One technical nit.  This makes the ESP/AH parser code dependent on ike_alg
>> (the IKE code, via plutoalg.c) is
>> already).  That in turn breaks the, unmaintained and probably already
>> broken, testing/lib/libswan/algparse.c.
>> Fixing means moving the deck chairs ike_alg*.[hc] and crypt_*.[hc] to
>> libswan.a, I think I'll hold off :-)
programs/spi uses the ESP parser and so this may force ike_alg*.  I'll
think about it a little.
We only get around this now because the ESP= parser doesn't handle DH.

> Kill it - we have test cases for all algorithms, and if we want to test
> failing connections (eg invalid config lines) we can use a real pluto
> test case and try to load those conns to see if these are failing.


> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20161209/f07aad8a/attachment.html>

More information about the Swan-dev mailing list