Aggressive mode support, which was always part of Openswan 1, has now also been added to Openswan 2. However, the code is entirely different. One of the problems of aggressive mode is that to save that extra round of negotiation from Main Mode, you need to do a lot of expensive Diffie Hellman computing upon sending and receiving the first packet. However, that opens up the possibility of a trivial denial of service attack, by simply sending bogus aggressive mode packets.
Another side effect of aggressive mode is that you must get the IKE and ESP parameters right in your first proposal, since there is no additional room to negotiate. It has to be precisely right after the first packet exchange. The handling of the CPU-intensive tasks has been split off into a separate process called crypto_helper
. Pluto can be told how many helper processes to start using the --nhelpers
argument. You can also specify nhelpers=
in the config setup section of the ipsec.conf
file. A value of...