[strongSwan] sha2_256_96 and IKEv2

Martin Willi martin at strongswan.org
Mon Apr 19 13:42:16 CEST 2010


Hi Gabriel,

> esp=aes256-sha2_256_96-modp8192!

> charon: 04[CFG] an algorithm from private space would match, but peer
> implementation is unknown, skipped

sha2_256_96 is a non-standard algorithm allocated in the private range.
As this number might be used differently by other implementations,
charon has to know that it is talking to charon. This is strictly
required starting with 4.3.6 and can be achieved by sending the
strongSwan vendor ID. charon sends a Vendor ID if the
charon.send_vendor_id strongswan.conf option is set.

However, I'd recommend to use the standardized sha2_256 algorithm that
uses 128bit instead of the Linux specific 96bit truncation scheme. It is
supported starting with Linux 2.6.33.

Regards
Martin





More information about the Users mailing list