[strongSwan] Android client supported Cipher Suites? trouble getting aes256 to work

Tobias Brunner tobias at strongswan.org
Thu Sep 27 09:34:56 CEST 2012


Hi Andreas,

> in fact, very strange collection of cipher suites the
> strongSwan Android client is proposing:
> 
> received proposals: ESP:
>   AES_CBC_128/AES_CBC_192/AES_CBC_256/
>   3DES_CBC/BLOWFISH_CBC_256/
>   HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/
>   NO_EXT_SEQ
> 
> I'm not aware that libipsec would support blowfish_cbc, 3des_cbc,
> aes_xcbc, and hmac_md5_96 and sha256_128,sha384_192 and sha512_256
> are prominently missing. Tobias could you check that?

That's just charon's default ESP proposal (see proposal.c).  Because
charon currently doesn't know which algorithms the IPsec stack actually
supports this is static (unlike the dynamically constructed default IKE
proposal).  With kernel-pfkey we could theoretically query the kernel
for its supported algorithms, libipsec would obviously support it too
but kernel-netlink has no interface to do so.  But I suppose we could
construct a custom proposal for the Android app with the knowledge of
what libipsec actually supports (which currently is AES + SHA1/SHA2).

Regards,
Tobias





More information about the Users mailing list