+strongswan-4.3.0
+----------------
+
+- The IKEv2 charon daemon can now configure the ESP CAMELLIA-CBC
+ cipher (esp=camellia128|192|256).
+
+
strongswan-4.2.14
-----------------
blowfish128, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128
blowfish192, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192
blowfish256, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256
+camellia128, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128
+camellia192, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 192
+camellia256, ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 256
sha, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0
sha1, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0
sha256, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0
{ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
{ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
{ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
- {END_OF_LIST, NULL },
+/* {ENCR_NULL_AUTH_AES_GMAC, "***" }, */
+ {ENCR_CAMELLIA_CBC, "cbc(camellia)" },
+/* {ENCR_CAMELLIA_CTR, "***" }, */
+/* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */
+/* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */
+/* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */
+ {END_OF_LIST, NULL }
};
/**
/* {AUTH_DES_MAC, "***" }, */
/* {AUTH_KPDK_MD5, "***" }, */
{AUTH_AES_XCBC_96, "xcbc(aes)" },
- {END_OF_LIST, NULL },
+ {END_OF_LIST, NULL }
};
/**
{IPCOMP_DEFLATE, "deflate" },
{IPCOMP_LZS, "lzs" },
{IPCOMP_LZJH, "lzjh" },
- {END_OF_LIST, NULL },
+ {END_OF_LIST, NULL }
};
/**
"AES_CCM_8",
"AES_CCM_12",
"AES_CCM_16");
-ENUM_NEXT(encryption_algorithm_names, ENCR_AES_GCM_ICV8, ENCR_AES_GCM_ICV16, ENCR_AES_CCM_ICV16,
+ENUM_NEXT(encryption_algorithm_names, ENCR_AES_GCM_ICV8, ENCR_NULL_AUTH_AES_GMAC, ENCR_AES_CCM_ICV16,
"AES_GCM_8",
"AES_GCM_12",
- "AES_GCM_16");
-ENUM_NEXT(encryption_algorithm_names, ENCR_DES_ECB, ENCR_DES_ECB, ENCR_AES_GCM_ICV16,
+ "AES_GCM_16",
+ "NULL_AES_GMAC");
+ENUM_NEXT(encryption_algorithm_names, ENCR_CAMELLIA_CBC, ENCR_CAMELLIA_CCM_ICV16, ENCR_NULL_AUTH_AES_GMAC,
+ "CAMELLIA_CBC",
+ "CAMELLIA_CTR",
+ "CAMELLIA_CCM_ICV8",
+ "CAMELLIA_CCM_ICV12",
+ "CAMELLIA_CCM_ICV16");
+ENUM_NEXT(encryption_algorithm_names, ENCR_DES_ECB, ENCR_DES_ECB, ENCR_CAMELLIA_CCM_ICV16,
"DES_ECB");
ENUM_END(encryption_algorithm_names, ENCR_DES_ECB);
* Encryption algorithm, as in IKEv2 RFC 3.3.2.
*/
enum encryption_algorithm_t {
- ENCR_UNDEFINED = 1024,
- ENCR_DES_IV64 = 1,
- ENCR_DES = 2,
- ENCR_3DES = 3,
- ENCR_RC5 = 4,
- ENCR_IDEA = 5,
- ENCR_CAST = 6,
- ENCR_BLOWFISH = 7,
- ENCR_3IDEA = 8,
- ENCR_DES_IV32 = 9,
- ENCR_NULL = 11,
- ENCR_AES_CBC = 12,
- ENCR_AES_CTR = 13,
- ENCR_AES_CCM_ICV8 = 14,
- ENCR_AES_CCM_ICV12 = 15,
- ENCR_AES_CCM_ICV16 = 16,
- ENCR_AES_GCM_ICV8 = 18,
- ENCR_AES_GCM_ICV12 = 19,
- ENCR_AES_GCM_ICV16 = 20,
- ENCR_DES_ECB = 1025
+ ENCR_UNDEFINED = 1024,
+ ENCR_DES_IV64 = 1,
+ ENCR_DES = 2,
+ ENCR_3DES = 3,
+ ENCR_RC5 = 4,
+ ENCR_IDEA = 5,
+ ENCR_CAST = 6,
+ ENCR_BLOWFISH = 7,
+ ENCR_3IDEA = 8,
+ ENCR_DES_IV32 = 9,
+ ENCR_NULL = 11,
+ ENCR_AES_CBC = 12,
+ ENCR_AES_CTR = 13,
+ ENCR_AES_CCM_ICV8 = 14,
+ ENCR_AES_CCM_ICV12 = 15,
+ ENCR_AES_CCM_ICV16 = 16,
+ ENCR_AES_GCM_ICV8 = 18,
+ ENCR_AES_GCM_ICV12 = 19,
+ ENCR_AES_GCM_ICV16 = 20,
+ ENCR_NULL_AUTH_AES_GMAC = 21,
+ ENCR_CAMELLIA_CBC = 23,
+ ENCR_CAMELLIA_CTR = 24,
+ ENCR_CAMELLIA_CCM_ICV8 = 25,
+ ENCR_CAMELLIA_CCM_ICV12 = 26,
+ ENCR_CAMELLIA_CCM_ICV16 = 27,
+ ENCR_DES_ECB = 1025
};
/**
--- /dev/null
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>CAMELLIA_CBC-192/HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b> in ipsec.conf.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
--- /dev/null
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::CAMELLIA_CBC-192/HMAC_SHA1_96::YES
+carol::ipsec statusall::CAMELLIA_CBC-192/HMAC_SHA1_96::YES
+moon::ip xfrm state::enc cbc(camellia)::YES
+carol::ip xfrm state::enc cbc(camellia)::YES
+carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=yes
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes192-sha1-modp2048!
+ esp=camellia192-sha1!
+
+conn home
+ left=PH_IP_CAROL
+ leftfirewall=yes
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=@moon.strongswan.org
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=yes
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes192-sha1-modp2048!
+ esp=camellia192-sha1!
+
+conn rw
+ left=PH_IP_MOON
+ leftfirewall=yes
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ right=%any
+ auto=add
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown
+}
--- /dev/null
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
--- /dev/null
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"