128 bit default security strength requires 3072 bit prime DH group
authorAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 14 Dec 2015 09:39:40 +0000 (10:39 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 14 Dec 2015 09:39:40 +0000 (10:39 +0100)
35 files changed:
configure.ac
src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
src/libstrongswan/plugins/gmp/gmp_plugin.c
src/libstrongswan/plugins/openssl/openssl_plugin.c
src/starter/confread.c
testing/tests/af-alg/alg-camellia/evaltest.dat
testing/tests/af-alg/alg-camellia/hosts/carol/etc/ipsec.conf
testing/tests/af-alg/alg-camellia/hosts/moon/etc/ipsec.conf
testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
testing/tests/ikev1/alg-sha256/evaltest.dat
testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/alg-sha256-96/evaltest.dat
testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/alg-sha256/evaltest.dat
testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf
testing/tests/libipsec/net2net-null/evaltest.dat
testing/tests/libipsec/net2net-null/hosts/moon/etc/ipsec.conf
testing/tests/libipsec/net2net-null/hosts/sun/etc/ipsec.conf
testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf

index a7419fd..944e37e 100644 (file)
@@ -1292,9 +1292,9 @@ ADD_PLUGIN([aes],                  [s charon scepclient pki scripts nm cmd])
 ADD_PLUGIN([des],                  [s charon scepclient pki scripts nm cmd])
 ADD_PLUGIN([blowfish],             [s charon scepclient pki scripts nm cmd])
 ADD_PLUGIN([rc2],                  [s charon scepclient pki scripts nm cmd])
-ADD_PLUGIN([sha1],                 [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
 ADD_PLUGIN([sha2],                 [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
 ADD_PLUGIN([sha3],                 [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
+ADD_PLUGIN([sha1],                 [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
 ADD_PLUGIN([md4],                  [s charon scepclient pki nm cmd])
 ADD_PLUGIN([md5],                  [s charon scepclient pki scripts attest nm cmd aikgen])
 ADD_PLUGIN([rdrand],               [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
index 04f1f43..7ecba8f 100644 (file)
@@ -98,14 +98,14 @@ METHOD(plugin_t, get_features, int,
                        PLUGIN_PROVIDE(HASHER, HASH_SHA512),
                /* MODP DH groups */
                PLUGIN_REGISTER(DH, gcrypt_dh_create),
-                       PLUGIN_PROVIDE(DH, MODP_2048_BIT),
-                       PLUGIN_PROVIDE(DH, MODP_2048_224),
-                       PLUGIN_PROVIDE(DH, MODP_2048_256),
-                       PLUGIN_PROVIDE(DH, MODP_1536_BIT),
                        PLUGIN_PROVIDE(DH, MODP_3072_BIT),
                        PLUGIN_PROVIDE(DH, MODP_4096_BIT),
                        PLUGIN_PROVIDE(DH, MODP_6144_BIT),
                        PLUGIN_PROVIDE(DH, MODP_8192_BIT),
+                       PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+                       PLUGIN_PROVIDE(DH, MODP_2048_224),
+                       PLUGIN_PROVIDE(DH, MODP_2048_256),
+                       PLUGIN_PROVIDE(DH, MODP_1536_BIT),
                        PLUGIN_PROVIDE(DH, MODP_1024_BIT),
                        PLUGIN_PROVIDE(DH, MODP_1024_160),
                        PLUGIN_PROVIDE(DH, MODP_768_BIT),
index d93aa14..ea75896 100644 (file)
@@ -45,14 +45,6 @@ METHOD(plugin_t, get_features, int,
        static plugin_feature_t f[] = {
                /* DH groups */
                PLUGIN_REGISTER(DH, gmp_diffie_hellman_create),
-                       PLUGIN_PROVIDE(DH, MODP_2048_BIT),
-                               PLUGIN_DEPENDS(RNG, RNG_STRONG),
-                       PLUGIN_PROVIDE(DH, MODP_2048_224),
-                               PLUGIN_DEPENDS(RNG, RNG_STRONG),
-                       PLUGIN_PROVIDE(DH, MODP_2048_256),
-                               PLUGIN_DEPENDS(RNG, RNG_STRONG),
-                       PLUGIN_PROVIDE(DH, MODP_1536_BIT),
-                               PLUGIN_DEPENDS(RNG, RNG_STRONG),
                        PLUGIN_PROVIDE(DH, MODP_3072_BIT),
                                PLUGIN_DEPENDS(RNG, RNG_STRONG),
                        PLUGIN_PROVIDE(DH, MODP_4096_BIT),
@@ -61,6 +53,14 @@ METHOD(plugin_t, get_features, int,
                                PLUGIN_DEPENDS(RNG, RNG_STRONG),
                        PLUGIN_PROVIDE(DH, MODP_8192_BIT),
                                PLUGIN_DEPENDS(RNG, RNG_STRONG),
+                       PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+                               PLUGIN_DEPENDS(RNG, RNG_STRONG),
+                       PLUGIN_PROVIDE(DH, MODP_2048_224),
+                               PLUGIN_DEPENDS(RNG, RNG_STRONG),
+                       PLUGIN_PROVIDE(DH, MODP_2048_256),
+                               PLUGIN_DEPENDS(RNG, RNG_STRONG),
+                       PLUGIN_PROVIDE(DH, MODP_1536_BIT),
+                               PLUGIN_DEPENDS(RNG, RNG_STRONG),
                        PLUGIN_PROVIDE(DH, MODP_1024_BIT),
                                PLUGIN_DEPENDS(RNG, RNG_STRONG),
                        PLUGIN_PROVIDE(DH, MODP_1024_160),
index e48efe3..2b05adb 100644 (file)
@@ -379,14 +379,14 @@ METHOD(plugin_t, get_features, int,
 #ifndef OPENSSL_NO_DH
                /* MODP DH groups */
                PLUGIN_REGISTER(DH, openssl_diffie_hellman_create),
-                       PLUGIN_PROVIDE(DH, MODP_2048_BIT),
-                       PLUGIN_PROVIDE(DH, MODP_2048_224),
-                       PLUGIN_PROVIDE(DH, MODP_2048_256),
-                       PLUGIN_PROVIDE(DH, MODP_1536_BIT),
                        PLUGIN_PROVIDE(DH, MODP_3072_BIT),
                        PLUGIN_PROVIDE(DH, MODP_4096_BIT),
                        PLUGIN_PROVIDE(DH, MODP_6144_BIT),
                        PLUGIN_PROVIDE(DH, MODP_8192_BIT),
+                       PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+                       PLUGIN_PROVIDE(DH, MODP_2048_224),
+                       PLUGIN_PROVIDE(DH, MODP_2048_256),
+                       PLUGIN_PROVIDE(DH, MODP_1536_BIT),
                        PLUGIN_PROVIDE(DH, MODP_1024_BIT),
                        PLUGIN_PROVIDE(DH, MODP_1024_160),
                        PLUGIN_PROVIDE(DH, MODP_768_BIT),
index c3a0ac0..897aa42 100644 (file)
@@ -40,8 +40,8 @@
 #define SA_REPLACEMENT_RETRIES_DEFAULT   3
 #define SA_REPLAY_WINDOW_DEFAULT        -1 /* use charon.replay_window */
 
-static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536";
-static const char esp_defaults[] = "aes128-sha1,3des-sha1";
+static const char ike_defaults[] = "aes128-sha256-modp3072";
+static const char esp_defaults[] = "aes128-sha256";
 
 static const char firewall_defaults[] = IPSEC_SCRIPT " _updown iptables";
 
index 2096cb9..f87c8f7 100644 (file)
@@ -1,7 +1,7 @@
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
 carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
index 11dece4..f0bbfc1 100644 (file)
@@ -8,7 +8,7 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
-       ike=camellia256-sha512-modp2048!
+       ike=camellia256-sha512-modp3072!
        esp=camellia192-sha384!
 
 conn home
index ecbb94d..8481f89 100644 (file)
@@ -8,7 +8,7 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
-       ike=camellia256-sha512-modp2048!
+       ike=camellia256-sha512-modp3072!
        esp=camellia192-sha384!
 
 conn rw
index 5f0bb3c..236647b 100644 (file)
@@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
 carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
index 11dece4..f0bbfc1 100644 (file)
@@ -8,7 +8,7 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
-       ike=camellia256-sha512-modp2048!
+       ike=camellia256-sha512-modp3072!
        esp=camellia192-sha384!
 
 conn home
index ecbb94d..8481f89 100644 (file)
@@ -8,7 +8,7 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
-       ike=camellia256-sha512-modp2048!
+       ike=camellia256-sha512-modp3072!
        esp=camellia192-sha384!
 
 conn rw
index eba8567..c826c3f 100644 (file)
@@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
index 73e2571..1c22797 100644 (file)
@@ -8,8 +8,8 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
-       ike=aes128-sha256-modp2048!
-       esp=aes128-sha256-modp2048!
+       ike=aes128-sha256-modp3072!
+       esp=aes128-sha256-modp3072!
 
 conn home
        left=PH_IP_CAROL
index 0a6f48e..177aebf 100644 (file)
@@ -8,8 +8,8 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
-       ike=aes128-sha256-modp2048!
-       esp=aes128-sha256-modp2048!
+       ike=aes128-sha256-modp3072!
+       esp=aes128-sha256-modp3072!
 
 conn rw
        left=PH_IP_MOON
index f110183..c896b5f 100644 (file)
@@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES
index 74668e7..c9e9e92 100644 (file)
@@ -8,8 +8,8 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
-       ike=aes128-aesxcbc-modp2048!
-       esp=aes128-aesxcbc-modp2048!
+       ike=aes128-aesxcbc-modp3072!
+       esp=aes128-aesxcbc-modp3072!
 
 conn home
        left=PH_IP_CAROL
index 3cda729..4e4a932 100644 (file)
@@ -8,8 +8,8 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
-       ike=aes128-aesxcbc-modp2048!
-       esp=aes128-aesxcbc-modp2048!
+       ike=aes128-aesxcbc-modp3072!
+       esp=aes128-aesxcbc-modp3072!
 
 conn rw
        left=PH_IP_MOON
index 6c4e237..8ad0fb2 100644 (file)
@@ -4,8 +4,8 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: cat /var/log/daemon.log::received strongSwan vendor ID::YES
 carol::cat /var/log/daemon.log::received strongSwan vendor ID::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_96,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_96,::YES
index 0d3b9fd..90a1436 100644 (file)
@@ -8,8 +8,8 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
-       ike=aes128-sha256-modp2048!
-       esp=aes128-sha256_96-modp2048!
+       ike=aes128-sha256-modp3072!
+       esp=aes128-sha256_96-modp3072!
 
 conn home
        left=PH_IP_CAROL
index b0a5c46..e0b2625 100644 (file)
@@ -8,8 +8,8 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
-       ike=aes128-sha256-modp2048!
-       esp=aes128-sha256_96-modp2048!
+       ike=aes128-sha256-modp3072!
+       esp=aes128-sha256_96-modp3072!
 
 conn rw
        left=PH_IP_MOON
index eba8567..c826c3f 100644 (file)
@@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
index 22d2cd3..6890ea4 100644 (file)
@@ -8,8 +8,8 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
-       ike=aes128-sha256-modp2048!
-       esp=aes128-sha256-modp2048!
+       ike=aes128-sha256-modp3072!
+       esp=aes128-sha256-modp3072!
 
 conn home
        left=PH_IP_CAROL
index 543374d..5831118 100644 (file)
@@ -8,8 +8,8 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
-       ike=aes128-sha256-modp2048!
-       esp=aes128-sha256-modp2048!
+       ike=aes128-sha256-modp3072!
+       esp=aes128-sha256-modp3072!
 
 conn rw
        left=PH_IP_MOON
index e455a36..0cafb4f 100644 (file)
@@ -2,8 +2,8 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.
 sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
 sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-moon::ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-sun:: ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+moon::ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
+sun:: ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
 alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 moon::ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES
 sun:: ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES
index 4ecfb0e..f206a16 100644 (file)
@@ -8,8 +8,8 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
-       ike=null-sha256-modp2048!
-       esp=null-sha256-modp2048!
+       ike=null-sha256-modp3072!
+       esp=null-sha256-modp3072!
        mobike=no
 
 conn net-net
index 95ea20d..21b1165 100644 (file)
@@ -8,8 +8,8 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
-       ike=null-sha256-modp2048!
-       esp=null-sha256-modp2048!
+       ike=null-sha256-modp3072!
+       esp=null-sha256-modp3072!
        mobike=no
 
 conn net-net
index 4d614bf..3b67703 100644 (file)
@@ -1,11 +1,11 @@
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
-moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
-carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
+carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
 moon:: ip xfrm state::enc cbc(camellia)::YES
 carol::ip xfrm state::enc cbc(camellia)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
index 7a27680..4628311 100644 (file)
@@ -8,8 +8,8 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
-       ike=camellia256-sha512-modp2048!
-       esp=camellia192-sha1!
+       ike=camellia256-sha512-modp3072!
+       esp=camellia192-sha384!
 
 conn home
        left=PH_IP_CAROL
index fb892a0..da1fbf0 100644 (file)
@@ -8,8 +8,8 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
-       ike=camellia256-sha512-modp2048!
-       esp=camellia192-sha1!
+       ike=camellia256-sha512-modp3072!
+       esp=camellia192-sha384!
 
 conn rw
        left=PH_IP_MOON
index 4d614bf..3b67703 100644 (file)
@@ -1,11 +1,11 @@
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
-moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
-carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
+carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
 moon:: ip xfrm state::enc cbc(camellia)::YES
 carol::ip xfrm state::enc cbc(camellia)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
index 0042954..f0bbfc1 100644 (file)
@@ -8,8 +8,8 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
-       ike=camellia256-sha512-modp2048!
-       esp=camellia192-sha1!
+       ike=camellia256-sha512-modp3072!
+       esp=camellia192-sha384!
 
 conn home
        left=PH_IP_CAROL
index 0f6a4f5..8481f89 100644 (file)
@@ -8,8 +8,8 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
-       ike=camellia256-sha512-modp2048!
-       esp=camellia192-sha1!
+       ike=camellia256-sha512-modp3072!
+       esp=camellia192-sha384!
 
 conn rw
        left=PH_IP_MOON
index 590b7fe..9c6b73b 100644 (file)
@@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@st
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES
 carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES
 carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES
index 74668e7..c9e9e92 100644 (file)
@@ -8,8 +8,8 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
-       ike=aes128-aesxcbc-modp2048!
-       esp=aes128-aesxcbc-modp2048!
+       ike=aes128-aesxcbc-modp3072!
+       esp=aes128-aesxcbc-modp3072!
 
 conn home
        left=PH_IP_CAROL
index 3cda729..4e4a932 100644 (file)
@@ -8,8 +8,8 @@ conn %default
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
-       ike=aes128-aesxcbc-modp2048!
-       esp=aes128-aesxcbc-modp2048!
+       ike=aes128-aesxcbc-modp3072!
+       esp=aes128-aesxcbc-modp3072!
 
 conn rw
        left=PH_IP_MOON