[strongSwan] Recommended Practice: Encryption options for net-to-net tunnels

Tom Rymes trymes at rymes.com
Thu Dec 10 17:45:14 CET 2015

On 12/10/2015 11:34 AM, Andreas Steffen wrote:
> if you know the options on both sides then one set of options
> is sufficient. If the connection setup works the first time
> around then it will always work. If you are not sure what
> the other side supports then you have to define several
> options with the preferred option up front and the most common
> option e.g. (aes128-sha1-modp2048) at the very end.

Thanks for confirming that, Andreas. My suspicion was that would be the 
case, but I wanted to confirm.
> By the way
>     ike=aes256-sha2_256-ecp512bp
> does not give you constant 256 bit security. The correct choice is
>     ike=aes256-sha512-ecp512bp!

Excellent, this is great information!

Thank you,


More information about the Users mailing list