[Swan] HMAC_SHA1 length
Pavol Hustý
pavol.husty at gmail.com
Thu Jul 23 08:24:37 UTC 2020
Hi all,
I have running configuration libreswan with "ESP algorithm newest:
AES_CBC_256-HMAC_SHA1_96".
Questions: How to force or set current configuration libreswan to ESP
algorithms with sha1 160 bit length. It is possible?
---
cat /var/log/pluto.log
Jul 22 13:57:29.740389: "asa128-test112" #2: STATE_QUICK_I2: sent QI2,
IPsec SA established tunnel mode {ESP=>0x065e62ab <0xc1302f22
xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}
ipsec whack --status
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 "asa128-test112": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "asa128-test112": IKE algorithms: AES_CBC_256-HMAC_SHA1-MODP1024
000 "asa128-test112": IKE algorithm newest: AES_CBC_256-HMAC_SHA1-MODP1024
000 "asa128-test112": ESP algorithms: AES_CBC_256-HMAC_SHA1_96
000 "asa128-test112": ESP algorithm newest: AES_CBC_256-HMAC_SHA1_96;
pfsgroup=<N/A>
000
000 Total IPsec connections: loaded 1, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE
connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
uname -r
3.10.0-1127.13.1.el7.x86_64
cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
ipsec --version
Linux Libreswan 3.25 (netkey) on 3.10.0-1127.13.1.el7.x86_64
conn asa128-test112
authby=secret
type=tunnel
ikev2=no
ike=aes256-sha1;modp1024
salifetime=8h
ikelifetime=24h
phase2=esp
phase2alg=aes256-sha1
left=x.y.z.112
leftsubnet=10.10.10.75/32
leftsourceip=10.10.10.70
right=z.y.x.128
rightsubnet=172.17.19.2/32
rightsourceip=172.17.19.1
pfs=no
dpddelay=10
dpdtimeout=30
dpdaction=restart
---
Thank you.
Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200723/e7438fea/attachment.html>
More information about the Swan
mailing list