[strongSwan-dev] can i apply NULL encryption with strongswan ?

Martin Willi martin at strongswan.org
Mon Feb 7 16:37:13 CET 2011

Hi Christophe,

>     ike=null-sha1-modp1024!
>     esp=null-sha1-modp1024!

Using Null encryption for the IKE protocol is considered insecure, you
should not use it in a productive setup. It is not really defined for
the use in IKEv2 itself. Null encryption in ESP is fine if you don't
need confidentiality, but you should use a cipher in IKE anyway.

> 09[IKE] ENCRYPTION_ALGORITHM NULL (key size 20) not supported!
> 09[IKE] key derivation failed

strongSwan does not provide a Null transform in userland in its default
configuration. But you can enable the OpenSSL crypto backend by passing
--enable-openssl to ./configure, it provides a Null transform. The
proposal above should work then between strongSwans, but be aware of the


More information about the Dev mailing list