Graham Hudspith wrote: > Dear All, > > I've tried finding information on the plugins used by strongSwan and > have failed miserably. I'm hoping someone here can please throw some > light on the matter. > > We're using eap-sim and eap-aka mechanisms to set up the tunnel. So > I have configured and built strongSwan with --disable-pluto to save > space in the installation. > > We've also got openssl already installed, so I've also built with > --enable-openssl. > > Now I'm looking to trim back the strongSwan plugins we don't need to > build and install. > > Part 1 > ====== > > Which plugins can I get rid of when openssl is being used ? > if you enable openssl then you can get rid of the following plugins:
aes des sha1 sha2 md5 gmp you still need hmac (always), pubkey and x509 (with rsa signatures) and xcbc (with aes-xcbc authentication). > I tried adding openssl to the list of plugins in strongswan.conf and > removing the following: > > aes des sha1 sha2 md5 gmp xcbc fips-prf > > However, with these removed, the tunnel does not come up. A little > experimentation shows that I have to add fips-prf (okay, I can > understand this one) and sha1 back in. > > Why do I need to add sha1 back in ? > shouldn't be required, see the following openssl scenario: http://www.strongswan.org/uml/testresults43/openssl/rw-cert/moon.strongswan.conf > Doesn't the openssl plugin provide the same sha1 capability (via > openssl) ? > > Part 2 > ====== > > Is there a description anywhere of what the various plugins do ? > http://wiki.strongswan.org/wiki/strongswan/Autoconf > Which plugins require other plugins ? > > Which can be removed when using openssl ? > see above > > If I use "fips-prf", can I remove "random" ? Or are they not > alternatives ? > fips-prf is a special pseudo-random-function (prf) whereas random gets random key material from /dev/random (TRUE) and /dev/urandom (STRONG). The only alternative for the random plugin is the padlock plugin if you have a VIA board with a built-in hardware random generator. > It would also be useful if the UML tests included strongswan.conf > files that indicated the minimum/specific list of plugins required > per test rather than seeming to include the "standard set" plus any > specialist ones required. > The current sets are a compromise, comprising all plugins that might be useful in most situations. > There is a page in the strongSwan wiki here > <http://wiki.strongswan.org/wiki/strongswan/IKEv2CipherSuites> which > lists the cipher suites supported for IKEv2. Does this show that > /only/ the algorithms marked with an "o" will be picked up from > openssl when the openssl plugin is used ? And that no other > algorithms which are *not* marked with an "o" will be picked up from > openssl (e.g. sha1 will not come from openssl) ? > I changed that yesterday. All supported algorithms are now marked by an 'o', not only the exotic ones. > Hope these questions aren't too noob for everyone! > > Graham. Best regards Andreas ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
