[strongSwan] Limiting the cipher suites in remote peer proposal

Alexander Lyakas alex.bolshoy at gmail.com
Thu Mar 8 14:26:34 CET 2012

Greetings everybody,
I am trying see how strongswan can accept only particular cipher
suites proposed by remote peer. The esp= and ike= parameters in
ipsec.conf are used
for outgoing proposal only.

I did some digging in strongswan 4.5.0 code.

It looks like the peer proposal for IKEv1 is checked against
ike_alg_base[] (in ike_alg.c), and this array is filled according to
the plugins loaded by strongswan, and also according to some
hard-coded switch{} in init_crypto(), which skips some of the loaded
plugins. So for IKE, I guess, I can just control the loaded plugins.

For IPSec however, I see that esp_aalg[] and esp_ealg[] arrays are
populated after querying the kernel what is supports. The incoming
proposal checks that algorithms are present in those maps only. So
there looks to be no parameter to control the incoming proposal beyond

Is my understanding correct? Is there a way to solve this?


BTW, the outgoing proposal is, in addition, checked against the
encr_map[] and auth_map[] via
[esp|oakley]_from_[encryption|integrity]_algorithm() functions. So
these two maps must be hard-coded consistently with the loaded plugins
(for oakley) and with what kernel reports (for ESP). Is this an
intended approach? In the code I am looking at (4.5.0), they seem

More information about the Users mailing list