testing: Convert swanctl scenarios to curve-25519
authorAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 29 Dec 2016 10:48:42 +0000 (11:48 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 30 Dec 2016 15:22:12 +0000 (16:22 +0100)
55 files changed:
testing/tests/swanctl/dhcp-dynamic/evaltest.dat
testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf
testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf
testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/swanctl/swanctl.conf
testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf
testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/mult-auth-rsa-eap-sim-id/evaltest.dat
testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/swanctl/swanctl.conf
testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/net2net-multicast/evaltest.dat
testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf
testing/tests/swanctl/net2net-multicast/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf
testing/tests/swanctl/net2net-multicast/hosts/sun/etc/swanctl/swanctl.conf
testing/tests/swanctl/net2net-sha3-rsa-cert/evaltest.dat
testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf
testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf
testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf
testing/tests/swanctl/protoport-dual/evaltest.dat
testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf
testing/tests/swanctl/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf
testing/tests/swanctl/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/protoport-range/evaltest.dat
testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf
testing/tests/swanctl/protoport-range/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf
testing/tests/swanctl/protoport-range/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-dnssec/evaltest.dat
testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf
testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf
testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf
testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-eap-tls-sha3-rsa/evaltest.dat
testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf
testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf
testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf
testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/shunt-policies-nat-rw/evaltest.dat
testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf
testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf
testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf

index bc85611..7b88c6d 100644 (file)
@@ -2,10 +2,10 @@ alice::ping -c 1 10.1.0.50::64 bytes from 10.1.0.50: icmp_.eq=1::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
 alice::ping -c 1 10.1.0.51::64 bytes from 10.1.0.51: icmp_.eq=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.1.0.50] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.50/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.1.0.51] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.51/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.1.0.50] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.50/32]
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.1.0.51] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.51/32]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.50] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.50/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.51] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.51/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.50] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.50/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.51] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.51/32]
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
index 5b06b25..dda67e0 100755 (executable)
@@ -5,7 +5,7 @@ swanctl {
 }
 
 charon {
-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default resolve updown vici
+  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds 
index f1a76db..b97935a 100755 (executable)
@@ -19,10 +19,10 @@ connections {
             remote_ts = 10.1.0.0/16 
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 }
index 5b06b25..dda67e0 100755 (executable)
@@ -5,7 +5,7 @@ swanctl {
 }
 
 charon {
-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default resolve updown vici
+  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds 
index 184185b..71631b3 100755 (executable)
@@ -19,10 +19,10 @@ connections {
             remote_ts = 10.1.0.0/16 
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 }
index 36e4e77..1f1e0a6 100755 (executable)
@@ -5,7 +5,7 @@ swanctl {
 }
 
 charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr farp dhcp
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr farp dhcp
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds
index e19568b..82f41ca 100755 (executable)
@@ -17,10 +17,10 @@ connections {
             local_ts  = 10.1.0.0/16 
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 }
index ebaad54..a520e5c 100644 (file)
@@ -5,8 +5,8 @@ carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
 moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
 moon:: cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=228060123456001@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=228060123456001@strongswan.org remote-eap-id=228060123456001.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=228060123456001@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=228060123456001@strongswan.org remote-eap-id=228060123456001.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
 moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA.* successful::YES
 dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
 dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
index bccbe5a..7e2ee00 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds 
index 944e78e..648941f 100755 (executable)
@@ -23,10 +23,10 @@ connections {
             remote_ts = 10.1.0.0/16 
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 }
index bccbe5a..7e2ee00 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds 
index bca5ad3..902e5f0 100755 (executable)
@@ -23,10 +23,10 @@ connections {
             remote_ts = 10.1.0.0/16 
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 }
index 7f90207..40b0c59 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-radius eap-identity updown
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds 
index 396eff5..e9c9d26 100755 (executable)
@@ -21,10 +21,10 @@ connections {
             local_ts  = 10.1.0.0/16 
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 }
index e29f312..6efa23a 100644 (file)
@@ -2,8 +2,8 @@ alice::traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
 bob::  traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
 moon:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
 sun::  traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16 224.0.0.251/32] remote-ts=\[10.2.0.0/16 224.0.0.251/32]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16 224.0.0.251/32] remote-ts=\[10.1.0.0/16 224.0.0.251/32]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16 224.0.0.251/32] remote-ts=\[10.2.0.0/16 224.0.0.251/32]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16 224.0.0.251/32] remote-ts=\[10.1.0.0/16 224.0.0.251/32]::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 alice::tcpdump::IP bob.strongswan.org.*224.0.0.251::YES
index bbd60d8..2ff6ac0 100644 (file)
@@ -5,7 +5,7 @@ swanctl {
 }
 
 charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds
index 89d616c..63a500e 100755 (executable)
@@ -24,12 +24,12 @@ connections {
             rekey_time = 5400
             rekey_bytes = 500000000
             rekey_packets = 1000000
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
       mobike = no
       reauth_time = 10800
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 }
index 48c4b83..b119e82 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds
index 68ba24a..6832a23 100755 (executable)
@@ -24,12 +24,12 @@ connections {
             rekey_time = 5400
             rekey_bytes = 500000000
             rekey_packets = 1000000
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
       mobike = no
       reauth_time = 10800
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 }
index 1d9bd64..4c56d52 100755 (executable)
@@ -1,5 +1,5 @@
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
index 5b67bf3..f102eee 100755 (executable)
@@ -5,7 +5,7 @@ swanctl {
 }
 
 charon {
-  load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici 
+  load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici 
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds 
index 9034651..7f188e1 100755 (executable)
@@ -22,12 +22,12 @@ connections {
             rekey_time = 5400
             rekey_bytes = 500000000
             rekey_packets = 1000000
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
       mobike = no
       reauth_time = 10800
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 }
index 5b67bf3..f102eee 100755 (executable)
@@ -5,7 +5,7 @@ swanctl {
 }
 
 charon {
-  load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici 
+  load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici 
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds 
index 2b9ddcf..d784bbd 100755 (executable)
@@ -22,12 +22,12 @@ connections {
             rekey_time = 5400
             rekey_bytes = 500000000
             rekey_packets = 1000000
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
       mobike = no
       reauth_time = 10800
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 }
index 74ba593..b5eec4b 100644 (file)
@@ -1,7 +1,7 @@
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
 carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES
 carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp]] remote-ts=\[10.1.0.0/16\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[192.168.0.100/32\[tcp]] remote-ts=\[10.1.0.0/16\[tcp/ssh]::YES
-moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp]] remote-ts=\[192.168.0.100/32\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[10.1.0.0/16\[tcp/ssh]] remote-ts=\[192.168.0.100/32\[tcp]]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp]] remote-ts=\[10.1.0.0/16\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[192.168.0.100/32\[tcp]] remote-ts=\[10.1.0.0/16\[tcp/ssh]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp]] remote-ts=\[192.168.0.100/32\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[10.1.0.0/16\[tcp/ssh]] remote-ts=\[192.168.0.100/32\[tcp]]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
index 5cf4d0c..383a242 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds 
index c33f05c..6c348bf 100755 (executable)
@@ -19,17 +19,17 @@ connections {
             remote_ts = 10.1.0.0/16[icmp]
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
          ssh {
             local_ts  = dynamic[tcp]
             remote_ts = 10.1.0.0/16[tcp/ssh]
             
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 }
index 5cf4d0c..383a242 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds 
index 71d7099..ba647f3 100755 (executable)
@@ -18,7 +18,7 @@ connections {
 
             hostaccess = yes
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
          ssh {
             local_ts  = 10.1.0.0/16[tcp/ssh]
@@ -26,10 +26,10 @@ connections {
 
             hostaccess = yes
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 }
index 45bf76f..c8d4c05 100644 (file)
@@ -1,7 +1,7 @@
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
 carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES
 carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*icmp-req.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp/8]] remote-ts=\[10.1.0.0/16\[icmp/8]].*icmp-rep.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp/0]] remote-ts=\[10.1.0.0/16\[icmp/0]].*ftp-ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[192.168.0.100/32\[tcp/32768-65535]] remote-ts=\[10.1.0.0/16\[tcp/21-22]::YES
-moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*icmp-req.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp/8]] remote-ts=\[192.168.0.100/32\[icmp/8]].*icmp-rep.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp/0]] remote-ts=\[192.168.0.100/32\[icmp/0]].*ftp-ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=MODP_3072.*local-ts=\[10.1.0.0/16\[tcp/21-22]] remote-ts=\[192.168.0.100/32\[tcp/32768-65535]]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp-req.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp/8]] remote-ts=\[10.1.0.0/16\[icmp/8]].*icmp-rep.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp/0]] remote-ts=\[10.1.0.0/16\[icmp/0]].*ftp-ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[192.168.0.100/32\[tcp/32768-65535]] remote-ts=\[10.1.0.0/16\[tcp/21-22]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp-req.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp/8]] remote-ts=\[192.168.0.100/32\[icmp/8]].*icmp-rep.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp/0]] remote-ts=\[192.168.0.100/32\[icmp/0]].*ftp-ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[10.1.0.0/16\[tcp/21-22]] remote-ts=\[192.168.0.100/32\[tcp/32768-65535]]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
index 5cf4d0c..383a242 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds 
index 4414172..a4993e4 100755 (executable)
@@ -19,24 +19,24 @@ connections {
             remote_ts = 10.1.0.0/16[icmp/2048]
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
          icmp-rep {
             local_ts  = dynamic[icmp/0]
             remote_ts = 10.1.0.0/16[icmp/0]
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
          ftp-ssh {
             local_ts  = dynamic[tcp/32768-65535]
             remote_ts = 10.1.0.0/16[tcp/21-22]
             
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 }
index 5cf4d0c..383a242 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds 
index c5a2a71..510a5cf 100755 (executable)
@@ -18,7 +18,7 @@ connections {
 
             hostaccess = yes
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
          icmp-rep {
             local_ts  = 10.1.0.0/16[icmp/0]
@@ -26,7 +26,7 @@ connections {
 
             hostaccess = yes
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
          ftp-ssh {
             local_ts  = 10.1.0.0/16[tcp/21-22]
@@ -34,10 +34,10 @@ connections {
 
             hostaccess = yes
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 }
index 6dafe78..73a2ff4 100644 (file)
@@ -1,15 +1,15 @@
 carol::cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
 carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
 dave:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
 dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
 moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*carol.strongswan.org::YES
 moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*dave.strongswan.org::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
index 7913daf..ec66253 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds
index 2d14b32..75ffc28 100755 (executable)
@@ -19,10 +19,10 @@ connections {
             remote_ts = 10.1.0.0/16 
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 }
index 7913daf..ec66253 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds
index ba511a4..a7d52b6 100755 (executable)
@@ -19,10 +19,10 @@ connections {
             remote_ts = 10.1.0.0/16 
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 }
index 9eafa0d..dcca175 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 dnskey pubkey unbound ipseckey gmp hmac vici kernel-netlink socket-default updown attr
+  load = random nonce aes sha1 sha2 pem pkcs1 dnskey pubkey unbound ipseckey curve25519 gmp hmac vici kernel-netlink socket-default updown attr
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds
index 33c4170..dd075e5 100755 (executable)
@@ -17,11 +17,11 @@ connections {
             local_ts  = 10.1.0.0/16 
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 }
 
index 51bf8c1..8a8a95f 100755 (executable)
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
 alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
 alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
index 3b492f0..14afb43 100755 (executable)
@@ -5,7 +5,7 @@ swanctl {
 }
 
 charon {
-  load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl eap-tls kernel-netlink socket-default updown vici 
+  load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici 
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds 
index 229b602..07d35e4 100755 (executable)
@@ -18,11 +18,11 @@ connections {
             remote_ts = 10.1.0.0/16 
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
       send_certreq = no
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 }
index 3b492f0..14afb43 100755 (executable)
@@ -5,7 +5,7 @@ swanctl {
 }
 
 charon {
-  load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl eap-tls kernel-netlink socket-default updown vici 
+  load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici 
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds 
index adf9326..4c1e07b 100755 (executable)
@@ -18,11 +18,11 @@ connections {
             remote_ts = 10.1.0.0/16 
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
       send_certreq = no
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 }
index 646ee0e..c090d68 100755 (executable)
@@ -5,7 +5,7 @@ swanctl {
 }
 
 charon {
-  load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl eap-tls kernel-netlink socket-default updown vici 
+  load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici 
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds 
index ec6b06b..8e8260b 100755 (executable)
@@ -16,11 +16,11 @@ connections {
             local_ts  = 10.1.0.0/16 
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
       send_certreq = no
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 }
index 032cd68..dd0d8ec 100644 (file)
@@ -4,10 +4,10 @@ alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
 alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
 venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
 venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[0.0.0.0/0]::YES
-venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[0.0.0.0/0]::YES
-sun::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.1/32]::YES
-sun::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.2/32]::YES
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[0.0.0.0/0]::YES
+venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[0.0.0.0/0]::YES
+sun::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.1/32]::YES
+sun::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.2/32]::YES
 moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
 moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
 alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES
index 9622bb0..ee5b261 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds 
index 373f8a7..a7cba5b 100755 (executable)
@@ -18,11 +18,11 @@ connections {
             remote_ts = 0.0.0.0/0 
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 
    local-net {
index 38794af..e5c0136 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds 
index 2f21d4a..1e94c2f 100755 (executable)
@@ -17,11 +17,11 @@ connections {
             local_ts  = 0.0.0.0/0
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 }
 
index 9622bb0..ee5b261 100644 (file)
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
 
   start-scripts {
     creds = /usr/local/sbin/swanctl --load-creds 
index bb9ca08..a582f84 100755 (executable)
@@ -18,11 +18,11 @@ connections {
             remote_ts = 0.0.0.0/0 
 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            esp_proposals = aes128gcm128-modp3072
+            esp_proposals = aes128gcm128-curve25519
          }
       }
       version = 2
-      proposals = aes128-sha256-modp3072
+      proposals = aes128-sha256-curve25519
    }
 
    local-net {