[strongSwan] How to specify the prf algorithm in ikev2

Martin Willi martin at strongswan.org
Tue Oct 19 11:35:36 CEST 2010


> In ipsec.conf,we could actually specify the ike=encryption-integrity-DH group;
> so how could i change the prf algorithm being used?

This is currently not possible via ipsec.conf, the specified integrity
algorithm is also used as PRF. We could extend that syntax somehow, but
I don't think it makes a lot of sense for the end user.

> the first one would be: PRF(HMAC_SHA1 and AES128_CBC) and Integrity (HMAC_SHA1_96)
> the secound one would be: PRF(HMAC_SHA1) and Integrity(HMAC_SHA1_96 and AES_XCBC_96)

We discussed this some weeks ago, Jiri posted a patch [1] that worked
for his testing efforts.



More information about the Users mailing list