[strongSwan] Strongswan not sending encryption algorithm
Andreas Steffen
andreas.steffen at strongswan.org
Fri Aug 5 10:19:06 CEST 2016
Hi Lakshmi,
The old IKEv1 protocol does not support AES-GCM for IKE since
IANA hasn't assigned any encryption transform numbers:
http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec-registry-4
AES-GCM can be used for IKE protection with IKEv2, only:
http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-5
Anyway, you profit from the speed advantage of AES-GCM mainly
with ESP because many payload packets must be processed.
AES-GCM for ESP can be negotiated both via IKEv1 and IKEv2.
Regards
Andreas
On 08/05/2016 08:42 AM, Lakshmi Prasanna wrote:
> Hi Team,
>
> I am trying to use AES-GCM with IKEV1 and see that strongswan does not
> send the encryption algorithm.
>
> Is there any plugin or knob to enable the same?
>
> Logs:
>
> --------
>
> received proposals: IKE:HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
>
> configured
> proposals:IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
>
>
> Thanks and Regards,
>
> Lakshmi
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160805/e1843a4c/attachment.bin>
More information about the Users
mailing list