128 bit default security strength requires 3072 bit prime DH group
This commit is contained in:
parent
47e5640378
commit
5e2b740a00
|
@ -1292,9 +1292,9 @@ ADD_PLUGIN([aes], [s charon scepclient pki scripts nm cmd])
|
|||
ADD_PLUGIN([des], [s charon scepclient pki scripts nm cmd])
|
||||
ADD_PLUGIN([blowfish], [s charon scepclient pki scripts nm cmd])
|
||||
ADD_PLUGIN([rc2], [s charon scepclient pki scripts nm cmd])
|
||||
ADD_PLUGIN([sha1], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
|
||||
ADD_PLUGIN([sha2], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
|
||||
ADD_PLUGIN([sha3], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
|
||||
ADD_PLUGIN([sha1], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
|
||||
ADD_PLUGIN([md4], [s charon scepclient pki nm cmd])
|
||||
ADD_PLUGIN([md5], [s charon scepclient pki scripts attest nm cmd aikgen])
|
||||
ADD_PLUGIN([rdrand], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
|
||||
|
|
|
@ -98,14 +98,14 @@ METHOD(plugin_t, get_features, int,
|
|||
PLUGIN_PROVIDE(HASHER, HASH_SHA512),
|
||||
/* MODP DH groups */
|
||||
PLUGIN_REGISTER(DH, gcrypt_dh_create),
|
||||
PLUGIN_PROVIDE(DH, MODP_2048_BIT),
|
||||
PLUGIN_PROVIDE(DH, MODP_2048_224),
|
||||
PLUGIN_PROVIDE(DH, MODP_2048_256),
|
||||
PLUGIN_PROVIDE(DH, MODP_1536_BIT),
|
||||
PLUGIN_PROVIDE(DH, MODP_3072_BIT),
|
||||
PLUGIN_PROVIDE(DH, MODP_4096_BIT),
|
||||
PLUGIN_PROVIDE(DH, MODP_6144_BIT),
|
||||
PLUGIN_PROVIDE(DH, MODP_8192_BIT),
|
||||
PLUGIN_PROVIDE(DH, MODP_2048_BIT),
|
||||
PLUGIN_PROVIDE(DH, MODP_2048_224),
|
||||
PLUGIN_PROVIDE(DH, MODP_2048_256),
|
||||
PLUGIN_PROVIDE(DH, MODP_1536_BIT),
|
||||
PLUGIN_PROVIDE(DH, MODP_1024_BIT),
|
||||
PLUGIN_PROVIDE(DH, MODP_1024_160),
|
||||
PLUGIN_PROVIDE(DH, MODP_768_BIT),
|
||||
|
|
|
@ -45,14 +45,6 @@ METHOD(plugin_t, get_features, int,
|
|||
static plugin_feature_t f[] = {
|
||||
/* DH groups */
|
||||
PLUGIN_REGISTER(DH, gmp_diffie_hellman_create),
|
||||
PLUGIN_PROVIDE(DH, MODP_2048_BIT),
|
||||
PLUGIN_DEPENDS(RNG, RNG_STRONG),
|
||||
PLUGIN_PROVIDE(DH, MODP_2048_224),
|
||||
PLUGIN_DEPENDS(RNG, RNG_STRONG),
|
||||
PLUGIN_PROVIDE(DH, MODP_2048_256),
|
||||
PLUGIN_DEPENDS(RNG, RNG_STRONG),
|
||||
PLUGIN_PROVIDE(DH, MODP_1536_BIT),
|
||||
PLUGIN_DEPENDS(RNG, RNG_STRONG),
|
||||
PLUGIN_PROVIDE(DH, MODP_3072_BIT),
|
||||
PLUGIN_DEPENDS(RNG, RNG_STRONG),
|
||||
PLUGIN_PROVIDE(DH, MODP_4096_BIT),
|
||||
|
@ -61,6 +53,14 @@ METHOD(plugin_t, get_features, int,
|
|||
PLUGIN_DEPENDS(RNG, RNG_STRONG),
|
||||
PLUGIN_PROVIDE(DH, MODP_8192_BIT),
|
||||
PLUGIN_DEPENDS(RNG, RNG_STRONG),
|
||||
PLUGIN_PROVIDE(DH, MODP_2048_BIT),
|
||||
PLUGIN_DEPENDS(RNG, RNG_STRONG),
|
||||
PLUGIN_PROVIDE(DH, MODP_2048_224),
|
||||
PLUGIN_DEPENDS(RNG, RNG_STRONG),
|
||||
PLUGIN_PROVIDE(DH, MODP_2048_256),
|
||||
PLUGIN_DEPENDS(RNG, RNG_STRONG),
|
||||
PLUGIN_PROVIDE(DH, MODP_1536_BIT),
|
||||
PLUGIN_DEPENDS(RNG, RNG_STRONG),
|
||||
PLUGIN_PROVIDE(DH, MODP_1024_BIT),
|
||||
PLUGIN_DEPENDS(RNG, RNG_STRONG),
|
||||
PLUGIN_PROVIDE(DH, MODP_1024_160),
|
||||
|
|
|
@ -379,14 +379,14 @@ METHOD(plugin_t, get_features, int,
|
|||
#ifndef OPENSSL_NO_DH
|
||||
/* MODP DH groups */
|
||||
PLUGIN_REGISTER(DH, openssl_diffie_hellman_create),
|
||||
PLUGIN_PROVIDE(DH, MODP_2048_BIT),
|
||||
PLUGIN_PROVIDE(DH, MODP_2048_224),
|
||||
PLUGIN_PROVIDE(DH, MODP_2048_256),
|
||||
PLUGIN_PROVIDE(DH, MODP_1536_BIT),
|
||||
PLUGIN_PROVIDE(DH, MODP_3072_BIT),
|
||||
PLUGIN_PROVIDE(DH, MODP_4096_BIT),
|
||||
PLUGIN_PROVIDE(DH, MODP_6144_BIT),
|
||||
PLUGIN_PROVIDE(DH, MODP_8192_BIT),
|
||||
PLUGIN_PROVIDE(DH, MODP_2048_BIT),
|
||||
PLUGIN_PROVIDE(DH, MODP_2048_224),
|
||||
PLUGIN_PROVIDE(DH, MODP_2048_256),
|
||||
PLUGIN_PROVIDE(DH, MODP_1536_BIT),
|
||||
PLUGIN_PROVIDE(DH, MODP_1024_BIT),
|
||||
PLUGIN_PROVIDE(DH, MODP_1024_160),
|
||||
PLUGIN_PROVIDE(DH, MODP_768_BIT),
|
||||
|
|
|
@ -40,8 +40,8 @@
|
|||
#define SA_REPLACEMENT_RETRIES_DEFAULT 3
|
||||
#define SA_REPLAY_WINDOW_DEFAULT -1 /* use charon.replay_window */
|
||||
|
||||
static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536";
|
||||
static const char esp_defaults[] = "aes128-sha1,3des-sha1";
|
||||
static const char ike_defaults[] = "aes128-sha256-modp3072";
|
||||
static const char esp_defaults[] = "aes128-sha256";
|
||||
|
||||
static const char firewall_defaults[] = IPSEC_SCRIPT " _updown iptables";
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
|
||||
moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
|
||||
carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
|
||||
moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
|
||||
carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
|
||||
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
|
||||
carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
|
||||
|
|
|
@ -8,7 +8,7 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=camellia256-sha512-modp2048!
|
||||
ike=camellia256-sha512-modp3072!
|
||||
esp=camellia192-sha384!
|
||||
|
||||
conn home
|
||||
|
|
|
@ -8,7 +8,7 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=camellia256-sha512-modp2048!
|
||||
ike=camellia256-sha512-modp3072!
|
||||
esp=camellia192-sha384!
|
||||
|
||||
conn rw
|
||||
|
|
|
@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
|
|||
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
|
||||
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
|
||||
carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
|
||||
moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
|
||||
carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
|
||||
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
|
||||
carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
|
||||
|
|
|
@ -8,7 +8,7 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=camellia256-sha512-modp2048!
|
||||
ike=camellia256-sha512-modp3072!
|
||||
esp=camellia192-sha384!
|
||||
|
||||
conn home
|
||||
|
|
|
@ -8,7 +8,7 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=camellia256-sha512-modp2048!
|
||||
ike=camellia256-sha512-modp3072!
|
||||
esp=camellia192-sha384!
|
||||
|
||||
conn rw
|
||||
|
|
|
@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
|
|||
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
|
||||
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
|
||||
carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
|
||||
carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
|
||||
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
|
||||
carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
|
||||
|
|
|
@ -8,8 +8,8 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
ike=aes128-sha256-modp2048!
|
||||
esp=aes128-sha256-modp2048!
|
||||
ike=aes128-sha256-modp3072!
|
||||
esp=aes128-sha256-modp3072!
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
|
|
|
@ -8,8 +8,8 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
ike=aes128-sha256-modp2048!
|
||||
esp=aes128-sha256-modp2048!
|
||||
ike=aes128-sha256-modp3072!
|
||||
esp=aes128-sha256-modp3072!
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
|
|
|
@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
|
|||
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
|
||||
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
|
||||
carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES
|
||||
carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES
|
||||
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES
|
||||
carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES
|
||||
|
|
|
@ -8,8 +8,8 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=aes128-aesxcbc-modp2048!
|
||||
esp=aes128-aesxcbc-modp2048!
|
||||
ike=aes128-aesxcbc-modp3072!
|
||||
esp=aes128-aesxcbc-modp3072!
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
|
|
|
@ -8,8 +8,8 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=aes128-aesxcbc-modp2048!
|
||||
esp=aes128-aesxcbc-modp2048!
|
||||
ike=aes128-aesxcbc-modp3072!
|
||||
esp=aes128-aesxcbc-modp3072!
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
|
|
|
@ -4,8 +4,8 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
|
|||
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
moon:: cat /var/log/daemon.log::received strongSwan vendor ID::YES
|
||||
carol::cat /var/log/daemon.log::received strongSwan vendor ID::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
|
||||
carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
|
||||
carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
|
||||
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_96,::YES
|
||||
carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_96,::YES
|
||||
|
|
|
@ -8,8 +8,8 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=aes128-sha256-modp2048!
|
||||
esp=aes128-sha256_96-modp2048!
|
||||
ike=aes128-sha256-modp3072!
|
||||
esp=aes128-sha256_96-modp3072!
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
|
|
|
@ -8,8 +8,8 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=aes128-sha256-modp2048!
|
||||
esp=aes128-sha256_96-modp2048!
|
||||
ike=aes128-sha256-modp3072!
|
||||
esp=aes128-sha256_96-modp3072!
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
|
|
|
@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
|
|||
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
|
||||
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
|
||||
carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
|
||||
carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
|
||||
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
|
||||
carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
|
||||
|
|
|
@ -8,8 +8,8 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=aes128-sha256-modp2048!
|
||||
esp=aes128-sha256-modp2048!
|
||||
ike=aes128-sha256-modp3072!
|
||||
esp=aes128-sha256-modp3072!
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
|
|
|
@ -8,8 +8,8 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=aes128-sha256-modp2048!
|
||||
esp=aes128-sha256-modp2048!
|
||||
ike=aes128-sha256-modp3072!
|
||||
esp=aes128-sha256-modp3072!
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
|
|
|
@ -2,8 +2,8 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.
|
|||
sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
|
||||
moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
|
||||
sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
|
||||
moon::ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
|
||||
sun:: ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
|
||||
moon::ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
|
||||
sun:: ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
|
||||
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
|
||||
moon::ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES
|
||||
sun:: ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES
|
||||
|
|
|
@ -8,8 +8,8 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=null-sha256-modp2048!
|
||||
esp=null-sha256-modp2048!
|
||||
ike=null-sha256-modp3072!
|
||||
esp=null-sha256-modp3072!
|
||||
mobike=no
|
||||
|
||||
conn net-net
|
||||
|
|
|
@ -8,8 +8,8 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=null-sha256-modp2048!
|
||||
esp=null-sha256-modp2048!
|
||||
ike=null-sha256-modp3072!
|
||||
esp=null-sha256-modp3072!
|
||||
mobike=no
|
||||
|
||||
conn net-net
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
|
||||
carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
|
||||
moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
|
||||
carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
|
||||
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
|
||||
carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
|
||||
moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
|
||||
carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
|
||||
moon:: ip xfrm state::enc cbc(camellia)::YES
|
||||
carol::ip xfrm state::enc cbc(camellia)::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
|
||||
|
|
|
@ -8,8 +8,8 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
ike=camellia256-sha512-modp2048!
|
||||
esp=camellia192-sha1!
|
||||
ike=camellia256-sha512-modp3072!
|
||||
esp=camellia192-sha384!
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
|
|
|
@ -8,8 +8,8 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev1
|
||||
ike=camellia256-sha512-modp2048!
|
||||
esp=camellia192-sha1!
|
||||
ike=camellia256-sha512-modp3072!
|
||||
esp=camellia192-sha384!
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
|
||||
carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
|
||||
moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
|
||||
carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
|
||||
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
|
||||
carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
|
||||
moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
|
||||
carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
|
||||
moon:: ip xfrm state::enc cbc(camellia)::YES
|
||||
carol::ip xfrm state::enc cbc(camellia)::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
|
||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
|
||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
|
||||
|
|
|
@ -8,8 +8,8 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=camellia256-sha512-modp2048!
|
||||
esp=camellia192-sha1!
|
||||
ike=camellia256-sha512-modp3072!
|
||||
esp=camellia192-sha384!
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
|
|
|
@ -8,8 +8,8 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=camellia256-sha512-modp2048!
|
||||
esp=camellia192-sha1!
|
||||
ike=camellia256-sha512-modp3072!
|
||||
esp=camellia192-sha384!
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
|
|
|
@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
|
|||
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
|
||||
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
|
||||
carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES
|
||||
carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES
|
||||
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES
|
||||
carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES
|
||||
|
|
|
@ -8,8 +8,8 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=aes128-aesxcbc-modp2048!
|
||||
esp=aes128-aesxcbc-modp2048!
|
||||
ike=aes128-aesxcbc-modp3072!
|
||||
esp=aes128-aesxcbc-modp3072!
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
|
|
|
@ -8,8 +8,8 @@ conn %default
|
|||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
ike=aes128-aesxcbc-modp2048!
|
||||
esp=aes128-aesxcbc-modp2048!
|
||||
ike=aes128-aesxcbc-modp3072!
|
||||
esp=aes128-aesxcbc-modp3072!
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
|
|
Loading…
Reference in New Issue