[strongSwan-dev] can i apply NULL encryption with strongswan ?
Martin Willi
martin at strongswan.org
Mon Feb 7 16:37:13 CET 2011
Hi Christophe,
> ike=null-sha1-modp1024!
> esp=null-sha1-modp1024!
Using Null encryption for the IKE protocol is considered insecure, you
should not use it in a productive setup. It is not really defined for
the use in IKEv2 itself. Null encryption in ESP is fine if you don't
need confidentiality, but you should use a cipher in IKE anyway.
> 09[IKE] ENCRYPTION_ALGORITHM NULL (key size 20) not supported!
> 09[IKE] key derivation failed
strongSwan does not provide a Null transform in userland in its default
configuration. But you can enable the OpenSSL crypto backend by passing
--enable-openssl to ./configure, it provides a Null transform. The
proposal above should work then between strongSwans, but be aware of the
consequences.
Regards
Martin
More information about the Dev
mailing list