[strongSwan] Android supported cipher suites
Andreas Steffen
andreas.steffen at strongswan.org
Sun Apr 12 07:35:53 CEST 2015
Hi Mark,
On 04/11/2015 10:52 PM, Mark M wrote:
> Andreas,
>
> Thanks for the info. This means that the Android client fully supports
> SuiteB.
>
Yes it does.
> Does the client support pfs? I have esp=aes256-sha384-ecp384! but I only
> see AES_CBC_256/HMAC_SHA2_384_192 for the tunnel SA? Maybe I am confused
> about how pfs works or what adding the DH group to esp= does? I
>
Adding a DH group to esp= enables PFS.
> phone1{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: ca1b40f8_i cf71b373_o
>> phone1{2}: AES_CBC_256/HMAC_SHA2_384_192, 15552 bytes_i (100
>
> Thanks,
>
> Mark-
>
Regards
Andreas
>
>
>
> On Saturday, April 11, 2015 8:59 AM, Andreas Steffen
> <andreas.steffen at strongswan.org> wrote:
>
>
> Hi Mark,
>
> the Android client proposes the following cipher suites:
>
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/
> HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/
> HMAC_SHA2_512_256/AES_XCBC_96/
> PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/
> PRF_HMAC_SHA2_512/PRF_AES128_XCBC/
> MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/
> MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/
> ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP,
> IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/
> AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/
> AES_GCM_16_256/
> PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/
> PRF_HMAC_SHA2_512/PRF_AES128_XCBC/
> MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/
> MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/
> ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
>
> ESP:AES_GCM_16_128/AES_GCM_16_256/NO_EXT_SEQ,
> ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ,
> ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA1_96/
> HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/NO_EXT_SEQ
>
> Best regards
>
> Andreas
>
> On 04/11/2015 04:45 AM, Mark M wrote:
>> What cipher suites are officially supported with the Android client? I
>> am using Android 5.0.2 and was able to establish an SA and tunnel with
>> esp=aes256-sha384-ecp384! and ike=aes256-sha384-ecp384!
>>
>> The documentation on the site and the Android Play page does not really
>> specify the actual supported ciphers?
>>
>> Below is the output of my strongswan statusall
>>
>> phone1[4]: IKEv2 SPIs: de827fcebd1a9dff_i 8bf56383c0465740_r*, public
>> key reauthentication in 2 hours
>> phone1[4]: IKE proposal:
>> AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384
>> phone1{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: ca1b40f8_i cf71b373_o
>> phone1{2}: AES_CBC_256/HMAC_SHA2_384_192, 15552 bytes_i (100
>> pkts, 17s ago), 27531 bytes_o (87 pkts, 17s ago), rekeying in 44 minutes
>> phone1{2}: 0.0.0.0/0 === 192.168.9.1/32
>>
>>
>>
>> Thanks,
>>
>> Mark-
>
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150412/65d3b7f5/attachment-0001.bin>
More information about the Users
mailing list