Modular ALGO support version 0.7.2b Tested with 2.4.18, freeswan-1.96 HOWTO-ipsec_ext.txt --Juanjo 07/03/02 ==================== Linux IP Aliasing creator, IPMASQ 2.2 Maintainer CHANGES: ======== * v0.7.2b: ESP auth, ipsec auto --status, x509 coexistance * v0.6.3: REQUIRE esp= to negotiate algorithm I'm assuming you have enough freeswan knowledge (patching, config, etc); if not, do it and come back :) Quickstart ========== 1) Patches: * Depeding of installation (stock or x509), use: - Stock freeswan: freeswan-ext-0.7.2b-BASE-common.diff.gz freeswan-ext-0.7.2b-BASE-klips.diff.gz freeswan-ext-0.7.2b-BASE-pluto.diff.gz - x509 (0.9.9) patched freeswan : freeswan-ext-0.7.2b-BASE-common.diff.gz freeswan-ext-0.7.2b-BASE-klips.diff.gz freeswan-ext-0.7.2b-BASE-pluto_with_x509.diff.gz * Decide which ciphers you want (you can patch in any order) freeswan-ext-0.7.2b-enc-3des.diff.gz ESP_3DES =3 freeswan-ext-0.7.2b-enc-aes-opt.diff.gz ESP_AES =12 freeswan-ext-0.7.2b-enc-aes.diff.gz ESP_AES =12 freeswan-ext-0.7.2b-enc-blowfish.diff.gz ESP_BLOWFISH =7 freeswan-ext-0.7.2b-enc-cast.diff.gz ESP_CAST =6 freeswan-ext-0.7.2b-enc-null.diff.gz ESP_NULL =11 freeswan-ext-0.7.2b-enc-serpent.diff.gz ESP_SERPENT =252 freeswan-ext-0.7.2b-enc-twofish.diff.gz ESP_TWOFISH =252 freeswan-ext-0.7.2b-auth-md5.diff.gz HMAC_MD5 =1 freeswan-ext-0.7.2b-auth-ripemd.diff.gz HMAC_SHA1 =2 freeswan-ext-0.7.2b-auth-sha1.diff.gz HMAC_SHA2_{256,512} = 5,7 freeswan-ext-0.7.2b-auth-sha2.diff.gz HMAC_RIPEMD =8 Eg: you want AES and TWOFISH ciphers: cd /path/to/src/freeswan-1.96 zcat freeswan-ext-0.7.2b-BASE-common.diff.gz | patch -p1 -s zcat freeswan-ext-0.7.2b-BASE-klips.diff.gz | patch -p1 -s zcat freeswan-ext-0.7.2b-BASE-pluto.diff.gz | patch -p1 -s zcat freeswan-ext-0.7.2b-enc-aes.diff.gz | patch -p1 -s zcat freeswan-ext-0.7.2b-enc-twofish.diff.gz | patch -p1 -s 2) Proceed as always with freeswan configuration/compilation, you MUST recompile KLIPS (kernel) _and_ pluto. For kernel config., these new kernel config items will appear: >> IPSEC Modular Extensions (CONFIG_IPSEC_EXT) [Y/n/?] y >> AES encryption algorithm (CONFIG_IPSEC_EXT_AES) [M/n/y/?] m >> TWOFISH encryption algorithm (CONFIG_IPSEC_EXT_TWOFISH) [M/n/y/?] m Compile, install, etc. Don't forget to compile and INSTALL PATCHED PLUTO. 3) Reload ipsec/pluto and insert algo module + modprobe ipsec_aes Confirm algo is present with + ipsec auto --status | egrep ESP 000 algorithm ESP encrypt: id=3, name=ESP_3DES 000 algorithm ESP encrypt: id=12, name=ESP_AES 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1 3) Edit connection parameters Add to your dotconf to the connection: esp=aes,3des and reload that configuration + ipsec auto --replace 4) Bring up a connection against peer with AES support (eg. ditto patched peer) + ipsec auto --up Confirm + ipsec spi | grep AES 4) Additional testing All modules accept test argument, eg: + modprobe ipsec_aes test=1 # ask module to probe itself + dmesg | tail -10 # show timing results Recommended comparison: ipsec_3des vs ipsec_aes 8)