1 Modular ALGO support version 0.8.0 for freeswan-1.97
2 $Id: HOWTO.ipsec_alg,v 1.1 2002-07-15 05:55:20 danield Exp $
4 HOWTO-ipsec_alg.txt --Juanjo <jjo-ipsec@mendoza.gov.ar>
5 ==================== Linux IP Aliasing creator, IPMASQ 2.2 Maintainer
6 These patches provide additional algorithm support for
7 Phase1 (OAKLEY/IKE) and Phase2 (ESP).
13 * Depeding of installation (stock or x509), use:
15 freeswan-alg-0.8.0-BASE-common.diff.gz
16 freeswan-alg-0.8.0-BASE-klips.diff.gz
17 freeswan-alg-0.8.0-BASE-pluto.diff.gz
19 - x509 (0.9.11) patched freeswan :
20 freeswan-alg-0.8.0-BASE-common.diff.gz
21 freeswan-alg-0.8.0-BASE-klips.diff.gz
22 freeswan-alg-0.8.0-BASE-pluto_with_x509.diff.gz
24 * Decide which ciphers you want (you can patch in any order)
25 --file--------------------------------- -phase-- --comment---------
26 freeswan-alg-0.8.0-enc-3des.diff.gz - P2 x86 optimized asm
27 freeswan-alg-0.8.0-enc-aes.diff.gz P1 P2 128-256 bits
28 freeswan-alg-0.8.0-enc-blowfish.diff.gz P1 P2 128-256 bits
29 freeswan-alg-0.8.0-enc-null.diff.gz - P2
30 freeswan-alg-0.8.0-enc-serpent.diff.gz P1 P2 128-256 bits
31 freeswan-alg-0.8.0-enc-twofish.diff.gz P1 P2 128-256 bits
33 freeswan-alg-0.8.0-auth-md5.diff.gz - P2 x86 optimized asm
34 freeswan-alg-0.8.0-auth-sha1.diff.gz - P2 x86 optimized asm
35 freeswan-alg-0.8.0-auth-sha2.diff.gz P1 P2 sha2_256 and sha2_512
37 Eg: you want AES and TWOFISH ciphers:
38 cd /path/to/src/freeswan-1.97
39 zcat freeswan-alg-0.8.0-BASE-common.diff.gz | patch -p1 -s
40 zcat freeswan-alg-0.8.0-BASE-klips.diff.gz | patch -p1 -s
41 zcat freeswan-alg-0.8.0-BASE-pluto.diff.gz | patch -p1 -s
42 zcat freeswan-alg-0.8.0-enc-aes.diff.gz | patch -p1 -s
43 zcat freeswan-alg-0.8.0-enc-twofish.diff.gz | patch -p1 -s
45 2) Proceed as always with freeswan configuration/compilation,
46 you MUST recompile KLIPS (kernel) _and_ pluto.
48 For kernel config., these new kernel config items will appear:
50 >> IPSEC Modular Extensions (CONFIG_IPSEC_ALG) [Y/n/?] y
51 >> AES encryption algorithm (CONFIG_IPSEC_ALG_AES) [M/n/y/?] m
52 >> TWOFISH encryption algorithm (CONFIG_IPSEC_ALG_TWOFISH) [M/n/y/?] m
54 Compile, install, etc.
55 Don't forget to compile and also INSTALL PATCHED PLUTO (phase I algorithms
56 will be added to pluto)
59 3) Reload ipsec/pluto and insert algo module
61 Confirm algo is present with
62 + ipsec auto --status | egrep ESP
63 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ...
64 000 algorithm ESP encrypt: id=12, name=ESP_AES, ...
65 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, ...
66 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, ...
68 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, ...
69 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, ...
70 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, ...
71 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, ...
72 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, ...
73 000 algorithm IKE hash: id=2, name=OAKLEY_SHA, ...
74 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, ...
77 3) Edit connection parameters
78 - For Phase2 (ESP) algorithms:
79 Add to your dotconf to the connection:
80 esp=aes128-sha1,aes128-md5
82 - For Phase1 (IKE) algorithms:
83 ike=aes128-sha,aes128-md5 (NOTE: Phase1 sha1 string is "sha")
85 Reload that configuration
86 + ipsec auto --replace <connection>
88 4) Bring up a connection against peer with AES support (eg. ditto patched peer)
89 + ipsec auto --up <connection>
92 + ipsec spi | grep AES
94 IKE (and ESP) from pluto' view:
95 + ipsec auto --status | grep <connection>.*algo
98 All modules accept test argument, eg:
99 + modprobe ipsec_aes test=1 # ask module to probe itself
100 + dmesg | tail -10 # show timing results
101 Recommended comparison: ipsec_3des vs ipsec_aes 8)
104 * You can permanently add ipsec_* algo modules loading in
106 add above ipsec ipsec_aes ipsec_3des ipsec_md5 ipsec_sha1