[strongSwan] Strongswan not sending encryption algorithm
Andreas Steffen
andreas.steffen at strongswan.org
Fri Aug 5 10:59:09 CEST 2016
Hi Lakshmi,
yes, your understanding is correct. Since AES-GCM is an
authenticated encryption algorithm, you don't need an
additional integrity protection function. Thus
Valid IKEv1 combo:
------------------
keyexchange=ikev1
ike=aes256-sha256-modp2048!
esp=aes256gcm128!
Valid IKEv2 combo:
------------------
keyexchange=ikev2
ike=aes256gcm128-prfsha256-modp2048!
esp=aes256gcm128!
Regards
Andreas
On 05.08.2016 10:41, Lakshmi Prasanna wrote:
> Thank you for the reply Andreas.
>
> Can you please validate my understanding?
>
> Valid combo:
> -------------------
>
> keyexchange=ikev1
>
> ike=aes256-sha256-modp2048!
>
> esp=aes256gcm128-sha256!
>
>
> Invalid combo:
> --------------------
>
> keyexchange=ikev1
>
> ike=aes256gcm128-sha256-modp2048!
>
> esp=aes256gcm128-sha256!
>
>
> Thanks,
>
> Lakshmi
>
>
> On Fri, Aug 5, 2016 at 1:49 PM, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
>
> Hi Lakshmi,
>
> The old IKEv1 protocol does not support AES-GCM for IKE since
> IANA hasn't assigned any encryption transform numbers:
>
> http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec-registry-4
> <http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec-registry-4>
>
> AES-GCM can be used for IKE protection with IKEv2, only:
>
> http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-5
> <http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-5>
>
> Anyway, you profit from the speed advantage of AES-GCM mainly
> with ESP because many payload packets must be processed.
> AES-GCM for ESP can be negotiated both via IKEv1 and IKEv2.
>
> Regards
>
> Andreas
>
> On 08/05/2016 08:42 AM, Lakshmi Prasanna wrote:
> > Hi Team,
> >
> > I am trying to use AES-GCM with IKEV1 and see that strongswan
> does not
> > send the encryption algorithm.
> >
> > Is there any plugin or knob to enable the same?
> >
> > Logs:
> >
> > --------
> >
> > received proposals: IKE:HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> >
> > configured
> >
> proposals:IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> >
> >
> > Thanks and Regards,
> >
> > Lakshmi
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> <http://www.strongswan.org>
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160805/122e8037/attachment-0001.bin>
More information about the Users
mailing list