[Swan-dev] simplifying default IKEv1 IKE algorithms

Andrew Cagney andrew.cagney at gmail.com
Thu Jan 19 19:33:53 UTC 2017

(not IKEv2, not ESP)

Currently, for IKEv1 IKE (phase1 I guess) has two different "defaults"

- the ike= line is missing from the config

  hard wired magic in spdb.c constructs an exhaustive proposal list
and dumps it onto the wire
  the proposals are not sanity checked, and stuff that isn't supported
keeps being sent out

  The combinations are something like
     {aes256,aes128,des3}-{sha1,md5}-{modp2048,modp1536,modp1024} = 3*2*3 = 18
  but the exact details depend on the authentication being used

- the ike= line is present but some algorithms are missing; for
instance ike=aes is missing prf/integ and dh

  completely unrelated logic in plutoalg.c, fills in missing
algorithms by enumerating over completely unrelated default values
  for DH, there is a sanity check to filter out invalid defaults (I
need to apply that to the other cases)

  The current default is:
*-{sha256,sha512,sha1,md5}-{modp2048,modp1536} (since an encryption
algorithm is required for this case)

Rather than trying to modify the first code path so that it filters
out invalid defaults, I'd like to drop that code path entirely.
Instead use the second code path to fill in the defaults when IKEv1
and no ike= was specified


Not IKEv2 IKE?  it currently produces a very compact and very
different proposal list, but that isn't to rule it out.
Not ESP? That code path is very different.

More information about the Swan-dev mailing list