Re: [Swan] HMAC_SHA1 length

Thu, 23 Jul 2020 01:48:34 -0700

Do you need to set ike and phase2alg at all? if you don't set them, Libreswan should negotiate a good set of algorithms. 

Nick

On 23/07/2020 09:24, Pavol Hustý wrote:

Hi all,
I have running configuration libreswan with "ESP algorithm newest: AES_CBC_256-HMAC_SHA1_96".
Questions: How to force or set current configuration libreswan to ESP algorithms with sha1 160 bit length. It is possible? 

---

cat /var/log/pluto.log
Jul 22 13:57:29.740389: "asa128-test112" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x065e62ab <0xc1302f22 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active} 

ipsec whack --status
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 

000 "asa128-test112":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "asa128-test112":   IKE algorithms: AES_CBC_256-HMAC_SHA1-MODP1024
000 "asa128-test112":   IKE algorithm newest: AES_CBC_256-HMAC_SHA1-MODP1024
000 "asa128-test112":   ESP algorithms: AES_CBC_256-HMAC_SHA1_96
000 "asa128-test112":   ESP algorithm newest: AES_CBC_256-HMAC_SHA1_96; pfsgroup=<N/A> 
000
000 Total IPsec connections: loaded 1, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections 
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)


uname -r
3.10.0-1127.13.1.el7.x86_64

cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)

ipsec --version
Linux Libreswan 3.25 (netkey) on 3.10.0-1127.13.1.el7.x86_64

conn asa128-test112
         authby=secret
         type=tunnel
         ikev2=no
         ike=aes256-sha1;modp1024
         salifetime=8h
         ikelifetime=24h
         phase2=esp
         phase2alg=aes256-sha1
         left=x.y.z.112
         leftsubnet=10.10.10.75/32 <http://10.10.10.75/32>
         leftsourceip=10.10.10.70
         right=z.y.x.128
         rightsubnet=172.17.19.2/32 <http://172.17.19.2/32>
         rightsourceip=172.17.19.1
         pfs=no
         dpddelay=10
         dpdtimeout=30
         dpdaction=restart

---

Thank you.

Regards

_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan



_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to