Hi Maintainer I just installed freeswan (have 2 gentoos so it's quite easy :) So I configured a connection... took me quite some time to fidle out that the part with the rsa key is _that_ easy.... anyway... I wanted to configure my algos... but I really soon got disappointed.... but found this page: http://www.fw-1.de/aerasec/ng/vpn-freeswan/CPNG+Linux-FreeSWAN.html#freeswan-algo and there I found what I wanted.... so I made up a small addon to you ebuild.... the output of "ipsec auto --status" (truncated) 000 "sample": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "sample": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth0; erouted 000 "sample": newest ISAKMP SA: #1; newest IPsec SA: #3; eroute owner: #3 000 "sample": IKE algorithms wanted: 7_128-4-42048, flags=-strict 000 "sample": IKE algorithms found: 7_128-4_256-42048, 000 "sample": IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536 (extension) 000 "sample": ESP algorithms wanted: 12_128-5, 3_000-2, 2_000-2, 2_000-1, ; pfsgroup=42048; flags=-strict 000 "sample": ESP algorithms loaded: 3_168-2_160, 000 "sample": ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup=MODP2048 (extension) I didn't checked _all_ the algos yet... please not, that a crypto kernel is needed for the whole stuff ( I guess... well I have one...) bye xor
Created attachment 2950 [details, diff] New Algos for freeswan
a small example how the extensions are used conn uml1-uml2 # Left (freeswan-1.98b + alg-0.8.0 ) left=192.168.2.18 leftsubnet=10.1.18.0/24 leftrsasigkey=0s....... # Right (freeswan-1.98b + alg-0.8.0 ) right=192.168.2.20 rightsubnet=10.1.20.0/24 rightrsasigkey=0s....... # To authorize this connection, but not actually start it, at startup, # uncomment this. auto=add auth=esp #authby=secret authby=rsasig pfs=yes # #freeswan-alg 0.7.x+ required for esp= parameter # #esp=twofish256 esp=aes128-md5,aes128-sha2_256 #esp=aes128 # #freeswan-alg 0.8.x+ required for pfsgroup= parameter pfsgroup=modp1536 # # #freeswan-alg 0.8.x+ required for ike= parameter # #ike=aes128-md5 ike=aes256-md5-modp4096 #ike=aes128-sha2_256 #ike=twofish-sha2_256 #ike=serpent-sha2_256
I finally managed to get AES, BLOWFISH and SHA2 running.... the trick is to go into the freeswan dir (ebuild unpack) and run "make menugo" - in the network options are now the Ciphers available.... I just don't know how to make that work with an ebuild...
hmm... I'm still no step further... I think best is to call "make menugo" so the user has the choice to include the ciphers he want's... but that violates sandbox (as it patches the kernel) a few words of advice would be welcome
Created attachment 3860 [details] All New cutting edge freeswan (sha2, aes, blowfish... and more!)
This attach is a new made ebuild, it may solves the problem I encountered... I hope I solved 'em in a sane way... any feedback is welcome.
These patches are probably unfit to use in our freeswan ebuild and the functionality is present in superfreeswan.