[strongSwan-dev] NIST 800-131a

Martin Willi martin at strongswan.org
Mon Nov 5 15:52:26 CET 2012

Hello Dale,

> but I did find that the crypto back end is based on libgcrypt.

We support different crypto backends in strongSwan. The default uses our
own crypto routines provided directly by strongSwan. Alternatively you
can use the OpenSSL or the libgcrypt based crypto backends. This can be
configured by passing the appropriate options to the ./configure script.

Additionally to what we use in userspace, you usually make use of the
cryptographic API from the Linux kernel to process ESP packets.

> does this mean that just by specifying the required encryption
> algorithms with the appropriate key lengths for connections, my system
> (currently 4.6.1) will be compliant with the NIST standard?

Yes, the ipsec.conf "esp" and "ike" proposal keywords allow you to
define the algorithms to use, man ipsec.conf for details. Also make sure
to append a "!" to the value of these keywords; this will remove the
fallback to other algorithms supported by your build.

Public key strengths are defined by the keys you configure, or what your
CA issues. In newer strongSwan releases, you can also define additional
public key strength requirements with the left/rightauth options. The
manpage of ipsec.conf has more details.


More information about the Dev mailing list