linux-ipsec: Pluto/IKE policy configuration?

Hi,
I've been following this list for a while now - excellent work folks. I've just started trying to test some interoperabilty between freeswan, starting with 0.91 (which FYI compiled without incident on rh5.2/2.0.36) and various networking equipment vendors ipsec implementations, notably cisco, bay and one or two others.

I ran into a snag when trying to esablish isakmp via pluto to a Cisco IOS router. It would appear from watching this from the router that all the proposals that pluto makes contain 3des for the ike SA , des is not proposed. Is this correct? If so then this causes me a problem, as the router is only single-des enabled, so it refuses all the proposals. Enabling 3des on that cisco router isn't at the present time an option. I would like to persuade pluto to have the option of proposing des for ike if possible, for the purpose of tests. I am aware of the des vs 3des security arguments.

>From ipsec_pluto manpage:

>The policy for acceptable characteristics for Security Associations is hardwired into
>the code of pluto. Eventually this will be moved into a security policy database with
>reasonable expressive power and more convenience.

If I'm on the right lines here - whereabouts in the code is this hardwiring? I'm a network design engineer, not a coder, so a pointer along the lines of "change this line(s) and recompile" would be appreciated. Presumably the design for such a policy database would be intended to include such things as choice of des/3des for ike, along with authentication policies such as certs vs pre-exchanged rsa key vs pre-shared secret etc?

> pluto uses shared secrets to authenticate peers with whom it is negotiating. In future
> other techniques will be supported.

I read some discussion of rsa-sig being considered as a next stage - if and when this is available I will have facility to test this also against network equipment vendors.

Regards,
Ian

-- 
Ian Calderbank, ianc@uk.uu.net
Network Development,UUNET UK

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek