[strongSwan] Good information on adding custom ESP encryption

Martin Willi martin at strongswan.org
Sat Apr 9 10:14:34 CEST 2016


> I believe the only real way to do this is via a kernel module using 
> the CrytpoAPI. It then has to be registered with the OS and 
> strongStwan and can then be used by specifying esp=<name you gave it>

Yes, that is correct. For an example you may take a look at the
patchset that implements the ChaCha20Poly1305 algorithm [1]. It exposes
an AEAD to IPsec, but the mechanics are very similar if you have
separate encryption/integrity algorithms. The CryptoAPI for AEAD has
slightly changed since then, so better have a look at the current
implementation as well.
 Patch 9 in that series then exposes the implemented algorithm to IPsec.
In strongSwan you'll have to add a proposal keyword, an algorithm
identifier for the IKE exchange, and map that identifier to the kernel
algorithm name you have chosen, see [2].



More information about the Users mailing list