[strongSwan] Recommended Practice: Encryption options for net-to-net tunnels
Tom Rymes
trymes at rymes.com
Thu Dec 10 17:45:14 CET 2015
On 12/10/2015 11:34 AM, Andreas Steffen wrote:
> if you know the options on both sides then one set of options
> is sufficient. If the connection setup works the first time
> around then it will always work. If you are not sure what
> the other side supports then you have to define several
> options with the preferred option up front and the most common
> option e.g. (aes128-sha1-modp2048) at the very end.
Thanks for confirming that, Andreas. My suspicion was that would be the
case, but I wanted to confirm.
> By the way
>
> ike=aes256-sha2_256-ecp512bp
>
> does not give you constant 256 bit security. The correct choice is
>
> ike=aes256-sha512-ecp512bp!
Excellent, this is great information!
Thank you,
tom
More information about the Users
mailing list