[strongSwan] Augment the "esp cipher suites" with foreign not standard ciphers

ABULIUS, MUGUR (MUGUR) mugur.abulius at alcatel-lucent.com
Fri Oct 8 10:34:47 CEST 2010

Hi Martin,

> Adding a new ESP cipher is possible, but not straight forward.
> You'll need to add support in several layers:

> 1) First, of course, the kernel needs support for this algorithm
>    in the crypto API
> 2) The kernel needs support for the new algorithm in the XFRM
>    subsystem.
> 3) Choose an IKEv2 algorithm identifier (in private space?) for 
>    your algorithm
> 4) Add a proposal configuration option for the algorithm identifier
> 5) Extend the kernel interface by the new cipher

We intercept the SA flow between strongSwan and kernel by our
user mode agent using PF_KEY sockets and we disable Linux
IPsec-ing with disable_xfrm disable_policy. The IP data flow is
not IPsec-ed by Linux but by an external NPU.

Then, probably only the items 3) and 4) from your list are required.

Concerning the item 3, if we choose an IKEv2 algorithm identifier
then how we can specify it with strongSwan? I don't understand what is
and what should be done for the item 4 ("proposal configuration option").

A simple but not elegant solution is to negotiate a well-known/supported
Cipher but, by convention, to apply to the both ends of the tunnel the
new cipher (not related to negotiated one).

Best Regards

More information about the Users mailing list