[strongSwan] Android supported cipher suites
Tobias Brunner
tobias at strongswan.org
Mon Apr 13 10:13:10 CEST 2015
Hi Mark,
> ESP:AES_GCM_16_128/AES_GCM_16_256/NO_EXT_SEQ,
> ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ,
> ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA1_96/
> HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/NO_EXT_SEQ
These are the ESP proposals for the first CHILD_SA that is negotiated
with the IKE_SA, so no DH groups are included. The full proposal used
when the CHILD_SA is rekeyed looks like this:
ESP:AES_GCM_16_128/AES_GCM_16_256/ECP_256/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_SHA2_256_128/ECP_256/MODP_3072/NO_EXT_SEQ,
ESP:AES_CBC_256/HMAC_SHA2_384_192/ECP_521/MODP_8192/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA1_96/
HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/
ECP_256/ECP_384/ECP_521/MODP_2048/MODP_3072/
MODP_4096/MODP_1024/NO_EXT_SEQ
ESP:AES_GCM_16_128/AES_GCM_16_256/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ,
ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA1_96/
HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/NO_EXT_SEQ
So if the gateway's ESP proposal is configured with DH group(s) PFS will
be used.
Regards,
Tobias
More information about the Users
mailing list