[strongSwan] Initialization vector (IV) creation criteria

Martin Willi martin at strongswan.org
Thu Jun 27 14:01:34 CEST 2013


> - It is explicitly not allowed to construct the IV from the encrypted
> data of the preceding encryption process.

> Does the strongswan follow this criteria when it encrypts ESP
> packets?

strongSwan is not directly involved in the ESP encapsulation process,
this is usually done by the kernel. On Linux, the different transforms
use different algorithms to generate the IV, refer to the kernel sources
for more details.

strongSwan generates IVs for IKE packets, these IVs are usually read
from /dev/urandom.


More information about the Users mailing list