[strongSwan] Question about "ike=aes256gcm16-aesxcbc-modp2048!" in ipsec.conf
Motonori Shindo
motonori at shin.do
Tue Jan 22 11:20:37 CET 2013
Hi,
I'm a newbie to StrongSwan. I often see the following configuration example:
ike=aes256gcm16-aesxcbc-modp2048!
esp=aes256gcm16-modp2048!
as seen in http://www.strongswan.org/uml/testresults/ikev2/alg-aes-gcm/moon.ipsec.conf, for example.
In my understanding aes256gcm16 can do both encryption and integrity checking and that's why specifying "aes256gcm16-modp2048!" for esp suffices in "encryption-integrity-dhgroup" part. What I don't understand is why we need "aesxcbc" for "ike" in conjunction with "aes256gcm16"? Does this mean that aes256gcm16 can't be used for integrity checking for phase 1?
Regards,
---
Motonori Shindo
More information about the Users
mailing list