ADD_PLUGIN([des], [s charon scepclient pki scripts nm cmd])
ADD_PLUGIN([blowfish], [s charon scepclient pki scripts nm cmd])
ADD_PLUGIN([rc2], [s charon scepclient pki scripts nm cmd])
-ADD_PLUGIN([sha1], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
ADD_PLUGIN([sha2], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
ADD_PLUGIN([sha3], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
+ADD_PLUGIN([sha1], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
ADD_PLUGIN([md4], [s charon scepclient pki nm cmd])
ADD_PLUGIN([md5], [s charon scepclient pki scripts attest nm cmd aikgen])
ADD_PLUGIN([rdrand], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
PLUGIN_PROVIDE(HASHER, HASH_SHA512),
/* MODP DH groups */
PLUGIN_REGISTER(DH, gcrypt_dh_create),
- PLUGIN_PROVIDE(DH, MODP_2048_BIT),
- PLUGIN_PROVIDE(DH, MODP_2048_224),
- PLUGIN_PROVIDE(DH, MODP_2048_256),
- PLUGIN_PROVIDE(DH, MODP_1536_BIT),
PLUGIN_PROVIDE(DH, MODP_3072_BIT),
PLUGIN_PROVIDE(DH, MODP_4096_BIT),
PLUGIN_PROVIDE(DH, MODP_6144_BIT),
PLUGIN_PROVIDE(DH, MODP_8192_BIT),
+ PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+ PLUGIN_PROVIDE(DH, MODP_2048_224),
+ PLUGIN_PROVIDE(DH, MODP_2048_256),
+ PLUGIN_PROVIDE(DH, MODP_1536_BIT),
PLUGIN_PROVIDE(DH, MODP_1024_BIT),
PLUGIN_PROVIDE(DH, MODP_1024_160),
PLUGIN_PROVIDE(DH, MODP_768_BIT),
static plugin_feature_t f[] = {
/* DH groups */
PLUGIN_REGISTER(DH, gmp_diffie_hellman_create),
- PLUGIN_PROVIDE(DH, MODP_2048_BIT),
- PLUGIN_DEPENDS(RNG, RNG_STRONG),
- PLUGIN_PROVIDE(DH, MODP_2048_224),
- PLUGIN_DEPENDS(RNG, RNG_STRONG),
- PLUGIN_PROVIDE(DH, MODP_2048_256),
- PLUGIN_DEPENDS(RNG, RNG_STRONG),
- PLUGIN_PROVIDE(DH, MODP_1536_BIT),
- PLUGIN_DEPENDS(RNG, RNG_STRONG),
PLUGIN_PROVIDE(DH, MODP_3072_BIT),
PLUGIN_DEPENDS(RNG, RNG_STRONG),
PLUGIN_PROVIDE(DH, MODP_4096_BIT),
PLUGIN_DEPENDS(RNG, RNG_STRONG),
PLUGIN_PROVIDE(DH, MODP_8192_BIT),
PLUGIN_DEPENDS(RNG, RNG_STRONG),
+ PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+ PLUGIN_PROVIDE(DH, MODP_2048_224),
+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+ PLUGIN_PROVIDE(DH, MODP_2048_256),
+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+ PLUGIN_PROVIDE(DH, MODP_1536_BIT),
+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
PLUGIN_PROVIDE(DH, MODP_1024_BIT),
PLUGIN_DEPENDS(RNG, RNG_STRONG),
PLUGIN_PROVIDE(DH, MODP_1024_160),
#ifndef OPENSSL_NO_DH
/* MODP DH groups */
PLUGIN_REGISTER(DH, openssl_diffie_hellman_create),
- PLUGIN_PROVIDE(DH, MODP_2048_BIT),
- PLUGIN_PROVIDE(DH, MODP_2048_224),
- PLUGIN_PROVIDE(DH, MODP_2048_256),
- PLUGIN_PROVIDE(DH, MODP_1536_BIT),
PLUGIN_PROVIDE(DH, MODP_3072_BIT),
PLUGIN_PROVIDE(DH, MODP_4096_BIT),
PLUGIN_PROVIDE(DH, MODP_6144_BIT),
PLUGIN_PROVIDE(DH, MODP_8192_BIT),
+ PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+ PLUGIN_PROVIDE(DH, MODP_2048_224),
+ PLUGIN_PROVIDE(DH, MODP_2048_256),
+ PLUGIN_PROVIDE(DH, MODP_1536_BIT),
PLUGIN_PROVIDE(DH, MODP_1024_BIT),
PLUGIN_PROVIDE(DH, MODP_1024_160),
PLUGIN_PROVIDE(DH, MODP_768_BIT),
#define SA_REPLACEMENT_RETRIES_DEFAULT 3
#define SA_REPLAY_WINDOW_DEFAULT -1 /* use charon.replay_window */
-static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536";
-static const char esp_defaults[] = "aes128-sha1,3des-sha1";
+static const char ike_defaults[] = "aes128-sha256-modp3072";
+static const char esp_defaults[] = "aes128-sha256";
static const char firewall_defaults[] = IPSEC_SCRIPT " _updown iptables";
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=camellia256-sha512-modp2048!
+ ike=camellia256-sha512-modp3072!
esp=camellia192-sha384!
conn home
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=camellia256-sha512-modp2048!
+ ike=camellia256-sha512-modp3072!
esp=camellia192-sha384!
conn rw
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=camellia256-sha512-modp2048!
+ ike=camellia256-sha512-modp3072!
esp=camellia192-sha384!
conn home
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=camellia256-sha512-modp2048!
+ ike=camellia256-sha512-modp3072!
esp=camellia192-sha384!
conn rw
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes128-sha256-modp2048!
- esp=aes128-sha256-modp2048!
+ ike=aes128-sha256-modp3072!
+ esp=aes128-sha256-modp3072!
conn home
left=PH_IP_CAROL
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes128-sha256-modp2048!
- esp=aes128-sha256-modp2048!
+ ike=aes128-sha256-modp3072!
+ esp=aes128-sha256-modp3072!
conn rw
left=PH_IP_MOON
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES
carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-aesxcbc-modp2048!
- esp=aes128-aesxcbc-modp2048!
+ ike=aes128-aesxcbc-modp3072!
+ esp=aes128-aesxcbc-modp3072!
conn home
left=PH_IP_CAROL
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-aesxcbc-modp2048!
- esp=aes128-aesxcbc-modp2048!
+ ike=aes128-aesxcbc-modp3072!
+ esp=aes128-aesxcbc-modp3072!
conn rw
left=PH_IP_MOON
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: cat /var/log/daemon.log::received strongSwan vendor ID::YES
carol::cat /var/log/daemon.log::received strongSwan vendor ID::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_96,::YES
carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_96,::YES
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-sha256-modp2048!
- esp=aes128-sha256_96-modp2048!
+ ike=aes128-sha256-modp3072!
+ esp=aes128-sha256_96-modp3072!
conn home
left=PH_IP_CAROL
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-sha256-modp2048!
- esp=aes128-sha256_96-modp2048!
+ ike=aes128-sha256-modp3072!
+ esp=aes128-sha256_96-modp3072!
conn rw
left=PH_IP_MOON
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-sha256-modp2048!
- esp=aes128-sha256-modp2048!
+ ike=aes128-sha256-modp3072!
+ esp=aes128-sha256-modp3072!
conn home
left=PH_IP_CAROL
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-sha256-modp2048!
- esp=aes128-sha256-modp2048!
+ ike=aes128-sha256-modp3072!
+ esp=aes128-sha256-modp3072!
conn rw
left=PH_IP_MOON
sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-moon::ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-sun:: ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+moon::ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
+sun:: ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
moon::ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES
sun:: ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=null-sha256-modp2048!
- esp=null-sha256-modp2048!
+ ike=null-sha256-modp3072!
+ esp=null-sha256-modp3072!
mobike=no
conn net-net
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=null-sha256-modp2048!
- esp=null-sha256-modp2048!
+ ike=null-sha256-modp3072!
+ esp=null-sha256-modp3072!
mobike=no
conn net-net
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
-moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
-carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
+carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
moon:: ip xfrm state::enc cbc(camellia)::YES
carol::ip xfrm state::enc cbc(camellia)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=camellia256-sha512-modp2048!
- esp=camellia192-sha1!
+ ike=camellia256-sha512-modp3072!
+ esp=camellia192-sha384!
conn home
left=PH_IP_CAROL
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=camellia256-sha512-modp2048!
- esp=camellia192-sha1!
+ ike=camellia256-sha512-modp3072!
+ esp=camellia192-sha384!
conn rw
left=PH_IP_MOON
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_3072::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
-moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
-carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
+carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
moon:: ip xfrm state::enc cbc(camellia)::YES
carol::ip xfrm state::enc cbc(camellia)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=camellia256-sha512-modp2048!
- esp=camellia192-sha1!
+ ike=camellia256-sha512-modp3072!
+ esp=camellia192-sha384!
conn home
left=PH_IP_CAROL
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=camellia256-sha512-modp2048!
- esp=camellia192-sha1!
+ ike=camellia256-sha512-modp3072!
+ esp=camellia192-sha384!
conn rw
left=PH_IP_MOON
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES
carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-aesxcbc-modp2048!
- esp=aes128-aesxcbc-modp2048!
+ ike=aes128-aesxcbc-modp3072!
+ esp=aes128-aesxcbc-modp3072!
conn home
left=PH_IP_CAROL
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-aesxcbc-modp2048!
- esp=aes128-aesxcbc-modp2048!
+ ike=aes128-aesxcbc-modp3072!
+ esp=aes128-aesxcbc-modp3072!
conn rw
left=PH_IP_MOON
projects / thirdparty / strongswan.git / commitdiff
