[strongSwan] Different cipher suites for each connection parameters
Martin Willi
martin at strongswan.org
Wed Apr 29 15:55:19 CEST 2015
Hi Lars,
> Is it possible to have different cipher suites for all the "conn"
> parameters in ipsec.conf?
Yes. But for IKE proposals, algorithm selection happens very early in
the exchange, before any peer identity gets exchanged. This is because
these details are explicitly protected under the algorithms we
negotiate.
So you can't use peer identities to select IKE algorithms, but must rely
on information that is available at this stage, such as the IKE version
or peer endpoint addresses (left/right).
For ESP this is less of a problem, and if you have appropriate selectors
to actually select the correct config, you can define separate
algorithms for them.
Regards
Martin
More information about the Users
mailing list