Permalink
Browse files

Specify compatibility issues with strongSwan & Openswan. Provided

work-around to the issues.
  • Loading branch information...
shussain committed Aug 21, 2018
1 parent e19c6c3 commit bf0449afaf1b8afbcb040dd302942845c8a80a8c
Showing with 43 additions and 0 deletions.
  1. +6 −0 BUGS
  2. +37 −0 COMPATIBILITY_ISSUES
View
6 BUGS
@@ -3,6 +3,12 @@ release, the following are considered known bugs.
For a detailed list, see https://github.com/xelerance/Openswan/issues
* OpenSWAN v2.6.51 and strongSwan have a compatibility issue when pfs=yes.
Please see COMPATABILITY_ISSUES file for details and work around.
* OpenSWAN v2.6.51 and strongSwan default proposals are incompatible. Please
see COMPATABILITY_ISSUES file for details and work around.
* It was our intent for Opportunistic Encryption to work with 4096 bit keys.
Currently, there is a buffer limitation that prevents this; the additional
text in TXT records wasn't properly factored into the buffer length. If
View
@@ -0,0 +1,37 @@
* Openswan v2.6.51 and strongSwan default proposals are incompatible.
To successfully interoperate with strongSwan, it is advised to
explicitly define the protocols to use; which includes IKE version
IKE protocols, and ESP/AH protocols.
A working example:
OpenSWAN
---------
conn os-ss
ikev2=insist
ike=aes128-md5-modp2048
phase2alg=aes256-sha1
pfs=no
strongSwan
---------
conn os-ss
keyexchange=ikev2
ike=aes128-md5-modp2048
esp=aes256-sha1
Tested protocols:
* ikev1 and ikev2
* ipv4, NAT-T, ipv6
* encryption: aes128, aes256
* integrity: md5, sha1
* DH-group: modp2048
* There is an interoperability issue between Openswan and strongSwan
when pfs=yes
In the case of pfs=yes configuration, a DH-group must be negotiated
for the child/ESP SA. Currently, the latest version of pluto will not
include the DH-group when negotiating ESP.
Therefore, it is advised to explicitly disable PFS.

0 comments on commit bf0449a

Please sign in to comment.