[Swan] HMAC_SHA1 length

Nick Howitt nick at howitts.co.uk
Thu Jul 23 08:41:30 UTC 2020 

Do you need to set ike and phase2alg at all? if you don't set them, 
Libreswan should negotiate a good set of algorithms.

Nick

On 23/07/2020 09:24, Pavol Hustý wrote:
> Hi all,
> 
> I have running configuration libreswan with "ESP algorithm newest: 
> AES_CBC_256-HMAC_SHA1_96".
> 
> Questions: How to force or set current configuration libreswan to ESP 
> algorithms with sha1 160 bit length. It is possible?
> 
> ---
> 
> cat /var/log/pluto.log
> Jul 22 13:57:29.740389: "asa128-test112" #2: STATE_QUICK_I2: sent QI2, 
> IPsec SA established tunnel mode {ESP=>0x065e62ab <0xc1302f22 
> xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}
> 
> ipsec whack --status
> 000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
> keysizemin=160, keysizemax=160
> 
> 000 "asa128-test112":   newest ISAKMP SA: #1; newest IPsec SA: #2;
> 000 "asa128-test112":   IKE algorithms: AES_CBC_256-HMAC_SHA1-MODP1024
> 000 "asa128-test112":   IKE algorithm newest: AES_CBC_256-HMAC_SHA1-MODP1024
> 000 "asa128-test112":   ESP algorithms: AES_CBC_256-HMAC_SHA1_96
> 000 "asa128-test112":   ESP algorithm newest: AES_CBC_256-HMAC_SHA1_96; 
> pfsgroup=<N/A>
> 000
> 000 Total IPsec connections: loaded 1, active 1
> 000
> 000 State Information: DDoS cookies not required, Accepting new IKE 
> connections
> 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
> 000 IPsec SAs: total(1), authenticated(1), anonymous(0)
> 
> 
> uname -r
> 3.10.0-1127.13.1.el7.x86_64
> 
> cat /etc/redhat-release
> CentOS Linux release 7.8.2003 (Core)
> 
> ipsec --version
> Linux Libreswan 3.25 (netkey) on 3.10.0-1127.13.1.el7.x86_64
> 
> conn asa128-test112
>          authby=secret
>          type=tunnel
>          ikev2=no
>          ike=aes256-sha1;modp1024
>          salifetime=8h
>          ikelifetime=24h
>          phase2=esp
>          phase2alg=aes256-sha1
>          left=x.y.z.112
>          leftsubnet=10.10.10.75/32 <http://10.10.10.75/32>
>          leftsourceip=10.10.10.70
>          right=z.y.x.128
>          rightsubnet=172.17.19.2/32 <http://172.17.19.2/32>
>          rightsourceip=172.17.19.1
>          pfs=no
>          dpddelay=10
>          dpdtimeout=30
>          dpdaction=restart
> 
> ---
> 
> Thank you.
> 
> Regards
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>

More information about the Swan mailing list