[strongSwan] many cipher/hash modes seems to be unavailable
Christoph Anton Mitterer
calestyo at scientia.net
Sun Oct 3 20:23:32 CEST 2010
On Sun, 2010-10-03 at 13:54 +0200, Andreas Steffen wrote:
Actually esp does not need an additional hash algorithm if AEAD
> is used. Thus
>
> esp = aes256gcm128-sha512-modp2048!
>
> is actually wrong. The correct syntax is
>
> esp = aes256gcm128-modp2048!
>
> if you want perfect forward secrecy or just
>
> esp = aes256gcm128!
>
> without PFS during IPsec SA rekeying. With non-AEAD authentication
> a data integrity algorithm *must* be defined, e.g.
>
> eps=aes256-sha512!
Ah thanks for that information,.. and I guess with the ike parameter
it's the same.
Could you please update the manpages/wiki pages to reflect this for
other end-users like me?! ;)
Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5677 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101003/a069eeb3/attachment.bin>
More information about the Users
mailing list