• view
• edit
• upload
• print
• history

Based on JuanJo's HOWTO.ipsec_alg and CHANGES.ipsec_alg docs.

This applies to Openswan 1.0.*, and Openswan 2.2.0+ (and CVS HEAD too).

Note: ALG support is not in Openswan 2.1.*

Phase1 IKE algorithms

• Add to your dotconf for the connection:

        ike=aes128-sha1,aes128-md5

        NOTE: Phase1 sha1 string is "sha1"

• which is the SAME AS ...

        ike=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024

• or you can be more specific ...

        ike=aes128-sha1-modp1536,aes128-md5-modp1536

• or more paranoid ...

        ike=aes128-sha2_256-modp2048

Phase2 ESP algorithms

       NOTE: missing pfsgroup=modpXXXX implies using
             pfsgroup equal to Phase1' DH group

• Add to your dotconf for the connection:

        esp=aes128-sha1,aes128-md5

• which is the SAME AS ...

        esp=aes128-sha1,aes128-md5

• or you can be more specific ...

        esp=aes128-sha1
        pfsgroup=modp1536

• or more paranoid ...

        esp=aes128-sha2_256
        pfsgroup=modp2048

Cryptoapi kernel module Information

By default, loading ipsec_cryptoapi will try to register all cryptoapi supported ciphers that have ESP id defined.

   module args:
     latebind=1   delay cryptoapi cipher binding until SA creation time
     noauto=1     won't auto register all algos, only forced ones:
     excl=1       don't allow more ciphers impl. for this algo
     aes=0        don't do aes
     aes=1        force do aes
     aes=128,256  force aes with these keyminbits,keymaxbits
                  ... same for: blowfish cast twofish serpent des_ede3
     test=1       algo testing (as other modules)
     debug=1

Examples:

     modinfo -p ipsec_cryptoapi                    (quite useful info)
     modprobe ipsec_cryptoapi    (will try to register all known ciphers)
     modprobe ipsec_cryptoapi test=1
     modprobe ipsec_cryptoapi latebind=1   (don't lock cipher modules at loadtime)
     modprobe ipsec_cryptoapi noauto=1 aes=1 twofish=1    (only these)
     modprobe ipsec_cryptoapi aes=128,128       (this keylens for AES)
     modprobe ipsec_cryptoapi des_ede3=0         (everything but 3DES)

After module loading, you will see several lines from kernel, similar than these:

     ...
     cryptoapi: loaded
     cryptoapi: Registered aes-ecb (0)
     cryptoapi: Registered aes-cbc (65536)
     cryptoapi: Registered aes-cfb (131072)
     cryptoapi: Registered aes-ctr (262144)
     cryptoapi: Registered aes-rtc (524288)
     setup_ipsec_alg_capi_cipher(): alg_type=15 alg_id=12 name=aes-cbc keyminbits=128 keymaxbits=256, ret=0
     cryptoapi: Registered twofish-ecb (0)
     cryptoapi: Registered twofish-cbc (65536)
     cryptoapi: Registered twofish-cfb (131072)
     cryptoapi: Registered twofish-ctr (262144)
     cryptoapi: Registered twofish-rtc (524288)
     setup_ipsec_alg_capi_cipher(): alg_type=15 alg_id=253 name=twofish-cbc keyminbits=128 keymaxbits=256, ret=0
     ...

TIPS

• You can permanently add ipsec_* algo modules loading in /etc/modules.conf:

          add above ipsec ipsec_aes ipsec_3des ipsec_md5 ipsec_sha1

• If ike and esp strings are absent, pluto will use _same_ as original (unpatched) pluto, ie:
• Phase1: if ike string is absent, it fallbacks to:

     ike=3des-md5-modp1536,3des-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024

• Phase2: if esp string is absent, it fallbacks to:

     esp=3des-md5,3des-sha1

     [ no pfsgroup => use Phase1's DH group ]