<div dir="ltr">Hi Developers,<div><br></div><div>We are running on Centos 7 and we have installed strongswan-5.7.2-1.el7.x86_64 already installed and the latest version.</div><div><br></div><div>Our client will allow us to connect to them using:</div><div>Phase 1: <br>Authentication Method !! Pre-Shared Secret, to be exchanged over the phone (SMS) only <br>Encryption Schema IKEv2<br>Diffie-Hellman Group- IKE DH Group-19 <br>Encryption Algorithm AES-256 <br>Hashing Algorithm SHA-256 <br>PRF SHA-256 <br>Renegotiate IKE SA every 86400 seconds<br><br>Phase 2: <br>IPSec IPSec<br>Encryption Algorithm IPSec AES-256<br>Hashing Algorithm IPSec SHA-256 <br>Renegotiate IPSec SA every 28800 seconds<br>PFS No PFS<br>Mode Main Mode<br></div><div><br></div><div>I've been through the documentation from <a href="https://wiki.strongswan.org/projects/1/wiki/IKEv2CipherSuites">https://wiki.strongswan.org/projects/1/wiki/IKEv2CipherSuites</a> and since we don't have Strong Swan 5.8.x we are limited in what we can use;</div><div><u>Option 1:</u> We have asked the client if we can use these alternate protocols that are supported with Strongswan 5.7.</div><div>For Phase 1:<br>Instead of DH Group-19 use DH Group 18<br>Instead of AES-256 use aes256gmac<br>Instead of SHA-256 use sha256_96<br>For PRF instead of SHA-256 use AES XCBC<br><br>For Phase 2: IPsec <br>Instead of AES-256 use aes256gmac<br>Instead of SHA-256 use sha256_96<br></div><div><br></div><div>Question 1:</div><div>However it's not clear in the documentation <a href="https://wiki.strongswan.org/projects/1/wiki/IKEv2CipherSuites">https://wiki.strongswan.org/projects/1/wiki/IKEv2CipherSuites</a>. For IPsec and StrongSwan 5.7 can you use aes256gmac instead of AES-256 and sha256_96 instead of SHA-256?</div><div><br></div><div>Question 2:</div><div>If this is possible with StrongSwan 5.7 how do you implement aes256gmac</div><div>IPSec Encryption Algorithm and sha256_96 IPSec
Hashing Algorithm? Or are there alternate options supported by StrongSwan 5.7?</div><div> <br></div><div><u>Option 2:</u><br></div><div>Build Strongswan 5.8.x on Centos 7</div><div>However from this post it seems its may not work <a href="https://wiki.strongswan.org/issues/3229">https://wiki.strongswan.org/issues/3229</a></div><div><br></div><div>Question3:</div><div>Has anyone successfully built Strongswan 5.8.x or later on Centos 7 and if so would they be so kind as to share their instructions on how to do it? </div><div><br></div><div>Thanks for any assistance.</div><div><br></div><div><br></div></div>