[Swan] HMAC_SHA1 length
Nick Howitt
nick at howitts.co.uk
Thu Jul 23 08:41:30 UTC 2020
Do you need to set ike and phase2alg at all? if you don't set them,
Libreswan should negotiate a good set of algorithms.
Nick
On 23/07/2020 09:24, Pavol Hustý wrote:
> Hi all,
>
> I have running configuration libreswan with "ESP algorithm newest:
> AES_CBC_256-HMAC_SHA1_96".
>
> Questions: How to force or set current configuration libreswan to ESP
> algorithms with sha1 160 bit length. It is possible?
>
> ---
>
> cat /var/log/pluto.log
> Jul 22 13:57:29.740389: "asa128-test112" #2: STATE_QUICK_I2: sent QI2,
> IPsec SA established tunnel mode {ESP=>0x065e62ab <0xc1302f22
> xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}
>
> ipsec whack --status
> 000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
>
> 000 "asa128-test112": newest ISAKMP SA: #1; newest IPsec SA: #2;
> 000 "asa128-test112": IKE algorithms: AES_CBC_256-HMAC_SHA1-MODP1024
> 000 "asa128-test112": IKE algorithm newest: AES_CBC_256-HMAC_SHA1-MODP1024
> 000 "asa128-test112": ESP algorithms: AES_CBC_256-HMAC_SHA1_96
> 000 "asa128-test112": ESP algorithm newest: AES_CBC_256-HMAC_SHA1_96;
> pfsgroup=<N/A>
> 000
> 000 Total IPsec connections: loaded 1, active 1
> 000
> 000 State Information: DDoS cookies not required, Accepting new IKE
> connections
> 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
> 000 IPsec SAs: total(1), authenticated(1), anonymous(0)
>
>
> uname -r
> 3.10.0-1127.13.1.el7.x86_64
>
> cat /etc/redhat-release
> CentOS Linux release 7.8.2003 (Core)
>
> ipsec --version
> Linux Libreswan 3.25 (netkey) on 3.10.0-1127.13.1.el7.x86_64
>
> conn asa128-test112
> authby=secret
> type=tunnel
> ikev2=no
> ike=aes256-sha1;modp1024
> salifetime=8h
> ikelifetime=24h
> phase2=esp
> phase2alg=aes256-sha1
> left=x.y.z.112
> leftsubnet=10.10.10.75/32 <http://10.10.10.75/32>
> leftsourceip=10.10.10.70
> right=z.y.x.128
> rightsubnet=172.17.19.2/32 <http://172.17.19.2/32>
> rightsourceip=172.17.19.1
> pfs=no
> dpddelay=10
> dpdtimeout=30
> dpdaction=restart
>
> ---
>
> Thank you.
>
> Regards
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
More information about the Swan
mailing list