[strongSwan] Different cipher suites for each connection parameters

Martin Willi martin at strongswan.org
Wed Apr 29 15:55:19 CEST 2015

Hi Lars,

> Is it possible to have different cipher suites for all the "conn"
> parameters in ipsec.conf? 

Yes. But for IKE proposals, algorithm selection happens very early in
the exchange, before any peer identity gets exchanged. This is because
these details are explicitly protected under the algorithms we

So you can't use peer identities to select IKE algorithms, but must rely
on information that is available at this stage, such as the IKE version
or peer endpoint addresses (left/right).

For ESP this is less of a problem, and if you have appropriate selectors
to actually select the correct config, you can define separate
algorithms for them.


More information about the Users mailing list