[strongSwan] Recommended Practice: Encryption options for net-to-net tunnels

Andreas Steffen andreas.steffen at strongswan.org
Thu Dec 10 17:34:59 CET 2015

Hi Tom,

if you know the options on both sides then one set of options
is sufficient. If the connection setup works the first time
around then it will always work. If you are not sure what
the other side supports then you have to define several
options with the preferred option up front and the most common
option e.g. (aes128-sha1-modp2048) at the very end.

By the way


does not give you constant 256 bit security. The correct choice is


Make sure to add the '!' strict flag at the end of your proposal
list. Otherwise a big list of default strongSwan proposals will be

Besides strongSwan probably only a small number of other products
are supporting the  Brainpool ECDH group.

Best regards


On 12/10/2015 12:57 AM, Tom Rymes wrote:
> I was hoping that someone might aid me in providing a best practice
> when setting up a tunnel between two devices connecting two lans.
> Is it best to specify one and only one combination of encryption
> schemes for this tunnel (i.e.: ike=aes256-sha2_256-ecp512bp) or
> multiple options? This is presuming that you know what options each
> side supports.
> In other words, which aids in reliability and avoiding problems:
> limiting the options down to one combination, or providing multiple
> choices?
> Thank you,
> Tom 

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151210/6567421c/attachment.bin>

More information about the Users mailing list