Re: linux-ipsec: Pluto/IKE policy configuration?

> I ran into a snag when trying to esablish isakmp via pluto to a Cisco
> IOS router. It would appear from watching this from the router that all
> the proposals that pluto makes contain 3des for the ike SA , des is not
> proposed. Is this correct?

At the moment, this is correct. Users really need to have more control over such policy matters, and that is on our to-do list, although it may be a little while before it gets addressed.

DHR might possibly be able to suggest a way to fudge it for testing. We are reluctant to provide a default configuration with single-DES enabled, especially for something as crucial as key exchange, since single-DES no longer offers meaningful security. (If your competition is seriously interested in eavesdropping on you, they can and will build a DES-cracker machine -- see doc/des.)

> >...Eventually this will be moved into a security policy database with
> >reasonable expressive power and more convenience.
>
> If I'm on the right lines here - whereabouts in the code is this
> hardwiring?

It's in pluto/spdb.c, but detailed instructions for fudging it should come from DHR rather than me -- I don't remember the details well enough to confidently give precise instructions.

> ...Presumably the design for such a policy database would be
> intended to include such things as choice of des/3des for ike, along
> with authentication policies such as certs vs pre-exchanged rsa key vs
> pre-shared secret etc?

Yes, that's the general intention... although do note that when it comes to choice of encryption algorithm, single-DES is such a poor choice that we've had repeated discussions of whether it belongs in our code at all. So far it's still there as an ESP transform, mostly because it is officially mandatory, and we will support it for IKE at such time as IKE becomes properly configurable, for the same reason.

However... if IETF ever downgrades DES support to optional (presumably after blessing a stronger replacement), it would not surprise me if we decided to stop shipping it. Our project management feels strongly about giving users real security, not just a crumbly plastic imitation.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

> I read some discussion of rsa-sig being considered as a next stage - if
> and when this is available I will have facility to test this also
> against network equipment vendors.

Great!

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)