[strongSwan] How to specify AES128-XCBC as the PRF in strongswan-5.0.1?

Andreas Steffen andreas.steffen at strongswan.org
Tue Oct 16 07:51:47 CEST 2012


Hello Robert,

in ipsec.conf currently the IKEv2 PRF cannot be configured
independently of the IKEv2 integrity method.

   ike=aes128-aesxcbc-modp2048!

configures both.

Regards

Andreas

On 10/16/2012 07:43 AM, Robert Lee wrote:
> Hi,
>
> How can I specify AES128-XCBC as the Pseudo Random Function in ipsec.conf?
>
> In the testing folder under
> ~/strongswan-5.0.1/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat, I
> see the following two lines from moon and carol:
> moon:: ipsec statusall 2> /dev/null::rw.*IKE
> proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
> carol::ipsec statusall 2> /dev/null::home.*IKE
> proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
>
> Looks like they are using PRF_AES128_XCBC already. But in the
> corresponding moon's or carol's ipsec.conf, I only see
>          ike=aes128-aesxcbc-modp2048!
>         esp=aes128-aesxcbc-modp2048!
>
> So how can I make strongswan use AES128-XCBC as the designated PRF? Thank you!
>
> Robert


======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list