Upgraded IKE and ESP proposals in swanctl scenarios to consistent 128 bit security
authorAndreas Steffen <andreas.steffen@strongswan.org>
Sat, 12 Dec 2015 14:54:48 +0000 (15:54 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Sat, 12 Dec 2015 14:54:48 +0000 (15:54 +0100)
46 files changed:
testing/tests/swanctl/frags-ipv4/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/frags-ipv4/hosts/dave/etc/swanctl/swanctl.conf
testing/tests/swanctl/frags-ipv4/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/frags-ipv6/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/frags-ipv6/hosts/dave/etc/swanctl/swanctl.conf
testing/tests/swanctl/frags-ipv6/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/ip-pool-db/evaltest.dat
testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf
testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/ip-pool/evaltest.dat
testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf
testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/multi-level-ca/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/multi-level-ca/hosts/dave/etc/swanctl/swanctl.conf
testing/tests/swanctl/multi-level-ca/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/net2net-cert/evaltest.dat
testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf
testing/tests/swanctl/net2net-route/evaltest.dat
testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf
testing/tests/swanctl/net2net-start/evaltest.dat
testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf
testing/tests/swanctl/ocsp-multi-level/evaltest.dat
testing/tests/swanctl/ocsp-multi-level/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/ocsp-multi-level/hosts/dave/etc/swanctl/swanctl.conf
testing/tests/swanctl/ocsp-multi-level/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-cert/evaltest.dat
testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-hash-and-url/evaltest.dat
testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-psk-fqdn/evaltest.dat
testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-psk-ipv4/evaltest.dat
testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf
testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf

index 9062e65..6b01dfc 100755 (executable)
@@ -17,17 +17,12 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 1 
       fragmentation = yes
-      reauth_time = 60m
-      rekey_time =  20m
       proposals = aes128-sha256-ecp256
    }
 }
index a4abc6f..e1d2487 100755 (executable)
@@ -17,18 +17,13 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 2
       mobike = no 
       fragmentation = yes 
-      reauth_time = 60m
-      rekey_time =  20m
       proposals = aes128-sha256-ecp256
    }
 }
index a19f542..2d219cd 100755 (executable)
@@ -15,17 +15,12 @@ connections {
          net {
             local_ts  = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       mobike = no
       fragmentation = yes
-      reauth_time = 60m
-      rekey_time =  20m
       proposals = aes128-sha256-ecp256
    }
 }
index 9e857f6..71fc4ea 100755 (executable)
@@ -17,17 +17,12 @@ connections {
          home {
             remote_ts = fec1::/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 1 
       fragmentation = yes
-      reauth_time = 60m
-      rekey_time =  20m
       proposals = aes128-sha256-ecp256
    }
 }
index bc5e541..f4e8a81 100755 (executable)
@@ -17,18 +17,13 @@ connections {
          home {
             remote_ts = fec1::/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 2
       mobike = no 
       fragmentation = yes 
-      reauth_time = 60m
-      rekey_time =  20m
       proposals = aes128-sha256-ecp256
    }
 }
index a59d137..a6241e9 100755 (executable)
@@ -15,17 +15,12 @@ connections {
          net {
             local_ts = fec1::/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       mobike = no
       fragmentation = yes
-      reauth_time = 60m
-      rekey_time =  20m
       proposals = aes128-sha256-ecp256
    }
 }
index f76c356..04edad1 100755 (executable)
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]
 moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES
 moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES
 moon:: ipsec pool --status 2> /dev/null::big_pool.*10.3.0.1.*10.3.3.232.*static.*2::YES
index 0bb3414..f1a76db 100755 (executable)
@@ -18,16 +18,11 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
index 24d2f86..184185b 100755 (executable)
@@ -18,16 +18,11 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
index d05dea0..3975512 100755 (executable)
@@ -16,16 +16,11 @@ connections {
          net {
             local_ts  = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
index a0891c3..9c3c72b 100755 (executable)
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]
 moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES
 moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES
 moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES
index 0bb3414..f1a76db 100755 (executable)
@@ -18,16 +18,11 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
index 24d2f86..184185b 100755 (executable)
@@ -18,16 +18,11 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
index aa31d0f..8d4dd6b 100755 (executable)
@@ -16,17 +16,12 @@ connections {
          net {
             local_ts  = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
 
index 89fccff..e6c90c0 100755 (executable)
@@ -24,7 +24,6 @@ connections {
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 2
       proposals = aes128-sha256-ecp256
    }
index 0a87ed3..5ca7bb5 100755 (executable)
@@ -24,7 +24,6 @@ connections {
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 2
       proposals = aes128-sha256-ecp256
    }
index 496c5fd..574887d 100755 (executable)
@@ -19,7 +19,6 @@ connections {
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 2
       proposals = aes128-sha256-ecp256
    }
@@ -43,7 +42,6 @@ connections {
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 2
       proposals = aes128-sha256-ecp256
    }
index cdbecd5..898f2f2 100755 (executable)
@@ -1,5 +1,5 @@
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
index 2f0fd9d..b1c005b 100755 (executable)
@@ -18,17 +18,12 @@ connections {
             local_ts  = 10.1.0.0/16 
             remote_ts = 10.2.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
       mobike = no
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
index e4c8556..c351213 100755 (executable)
@@ -18,17 +18,12 @@ connections {
             local_ts  = 10.2.0.0/16 
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
       mobike = no
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
index 04df90b..31894d2 100755 (executable)
@@ -1,7 +1,7 @@
 moon::swanctl --list-pols --raw 2> /dev/null::net-net.*mode=TUNNEL local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
 moon::cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8] === 10.2.0.10/32\[icmp/8]::YES
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
index 1dfcfd1..3de6edc 100755 (executable)
@@ -20,15 +20,11 @@ connections {
 
             start_action = trap 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
       mobike = no
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
index e4c8556..5a9cd13 100755 (executable)
@@ -20,15 +20,11 @@ connections {
 
             start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
       mobike = no
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
index cdbecd5..898f2f2 100755 (executable)
@@ -1,5 +1,5 @@
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
index 6770f6a..0713e7d 100755 (executable)
@@ -20,15 +20,11 @@ connections {
 
             start_action = start 
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
       mobike = no
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
index e4c8556..5a9cd13 100755 (executable)
@@ -20,15 +20,11 @@ connections {
 
             start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
       mobike = no
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
index db10ac1..4da0a6f 100644 (file)
@@ -1,8 +1,8 @@
-moon:: swanctl --list-certs --type ocsp 2> /dev/null::issuer.*ocsp.research.strongswan.org::YES
-moon:: swanctl --list-certs --type ocsp 2> /dev/null::issuer.*ocsp.sales.strongswan.org::YES
-moon:: swanctl --list-certs --type ocsp 2> /dev/null::issuer.*ocsp.strongswan.org::YES
-carol::swanctl --list-certs --type ocsp 2> /dev/null::issuer.*ocsp.strongswan.org::YES
-dave:: swanctl --list-certs --type ocsp 2> /dev/null::issuer.*ocsp.strongswan.org::YES
+moon:: swanctl --list-certs --type ocsp_response 2> /dev/null::issuer.*ocsp.research.strongswan.org::YES
+moon:: swanctl --list-certs --type ocsp_response 2> /dev/null::issuer.*ocsp.sales.strongswan.org::YES
+moon:: swanctl --list-certs --type ocsp_response 2> /dev/null::issuer.*ocsp.strongswan.org::YES
+carol::swanctl --list-certs --type ocsp_response 2> /dev/null::issuer.*ocsp.strongswan.org::YES
+dave:: swanctl --list-certs --type ocsp_response 2> /dev/null::issuer.*ocsp.strongswan.org::YES
 moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.research.strongswan.org::YES
 moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.sales.strongswan.org::YES
 moon:: cat /var/log/daemon.log::ocsp response correctly signed by.*ocsp.strongswan.org::YES
index 26c3a89..7867fde 100755 (executable)
@@ -24,7 +24,6 @@ connections {
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 2
       proposals = aes128-sha256-ecp256
    }
index 8752e9b..0c30521 100755 (executable)
@@ -24,7 +24,6 @@ connections {
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 2
       proposals = aes128-sha256-ecp256
    }
index 2cb0501..c5beb2c 100755 (executable)
@@ -19,7 +19,6 @@ connections {
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 2
       proposals = aes128-sha256-ecp256
    }
@@ -43,7 +42,6 @@ connections {
             esp_proposals = aes128-sha256-ecp256
          }
       }
-
       version = 2
       proposals = aes128-sha256-ecp256
    }
index ee3fb76..f9e28bf 100755 (executable)
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
 alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
 alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
index 0ba2433..8a29c30 100755 (executable)
@@ -17,16 +17,11 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
index a3420a4..e65ec7a 100755 (executable)
@@ -17,16 +17,11 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
index 861d65a..a3c51c8 100755 (executable)
@@ -15,16 +15,11 @@ connections {
          net {
             local_ts  = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
index 5242db1..afad444 100755 (executable)
@@ -2,10 +2,10 @@ carol::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
 dave:: cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
 moon:: cat /var/log/daemon.log::fetched certificate.*carol@strongswan.org::YES
 moon:: cat /var/log/daemon.log::fetched certificate.*dave@strongswan.org::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
 alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
 alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
index 7b0b2ad..401b9fa 100755 (executable)
@@ -17,17 +17,12 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
 
index b4d8209..b1e734d 100755 (executable)
@@ -17,17 +17,12 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
 
index 258d9e8..f893175 100755 (executable)
@@ -15,17 +15,12 @@ connections {
          net {
             local_ts  = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
 
index bb5e08b..a53332a 100755 (executable)
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]
 alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
 alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
index c113620..9bf759e 100755 (executable)
@@ -16,17 +16,12 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
 
index 928fd04..1f2beef 100755 (executable)
@@ -16,17 +16,12 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
 
index 8cae3e8..7138b5d 100755 (executable)
@@ -14,17 +14,12 @@ connections {
          net {
             local_ts  = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
 
index 142e88e..55818c9 100755 (executable)
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=192.168.0.100 remote-host=192.168.0.1 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=192.168.0.200 remote-host=192.168.0.1 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=192.168.0.1 remote-host=192.168.0.100 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=192.168.0.1 remote-host=192.168.0.200 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=192.168.0.100 remote-host=192.168.0.1 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=192.168.0.200 remote-host=192.168.0.1 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=192.168.0.1 remote-host=192.168.0.100 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=192.168.0.1 remote-host=192.168.0.200 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]
 alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
 alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
index bd00fc3..8b3863b 100755 (executable)
@@ -16,17 +16,12 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
 
index b30790b..83f3c0a 100755 (executable)
@@ -16,17 +16,12 @@ connections {
          home {
             remote_ts = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }
 
index 098b3c0..9b4f7ce 100755 (executable)
@@ -13,17 +13,12 @@ connections {
          net {
             local_ts  = 10.1.0.0/16 
 
-            start_action = none
             updown = /usr/local/libexec/ipsec/_updown iptables
-            rekey_time = 10m 
-            esp_proposals = aes128gcm128-modp2048
+            esp_proposals = aes128gcm128-modp3072
          }
       }
-
       version = 2
-      reauth_time = 60m
-      rekey_time =  20m
-      proposals = aes128-sha256-modp2048
+      proposals = aes128-sha256-modp3072
    }
 }