[strongSwan] Strongswan not sending encryption algorithm
Lakshmi Prasanna
lakshmi.1147 at gmail.com
Fri Aug 5 11:00:32 CEST 2016
Thanks Andreas.
On Fri, Aug 5, 2016 at 2:29 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:
> Hi Lakshmi,
>
> yes, your understanding is correct. Since AES-GCM is an
> authenticated encryption algorithm, you don't need an
> additional integrity protection function. Thus
>
> Valid IKEv1 combo:
> ------------------
>
> keyexchange=ikev1
> ike=aes256-sha256-modp2048!
> esp=aes256gcm128!
>
>
> Valid IKEv2 combo:
> ------------------
>
> keyexchange=ikev2
> ike=aes256gcm128-prfsha256-modp2048!
> esp=aes256gcm128!
>
> Regards
>
> Andreas
>
> On 05.08.2016 10:41, Lakshmi Prasanna wrote:
>
>> Thank you for the reply Andreas.
>>
>> Can you please validate my understanding?
>>
>> Valid combo:
>> -------------------
>>
>> keyexchange=ikev1
>>
>> ike=aes256-sha256-modp2048!
>>
>> esp=aes256gcm128-sha256!
>>
>>
>> Invalid combo:
>> --------------------
>>
>> keyexchange=ikev1
>>
>> ike=aes256gcm128-sha256-modp2048!
>>
>> esp=aes256gcm128-sha256!
>>
>>
>> Thanks,
>>
>> Lakshmi
>>
>>
>> On Fri, Aug 5, 2016 at 1:49 PM, Andreas Steffen
>> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
>>
>> wrote:
>>
>> Hi Lakshmi,
>>
>> The old IKEv1 protocol does not support AES-GCM for IKE since
>> IANA hasn't assigned any encryption transform numbers:
>>
>> http://www.iana.org/assignments/ipsec-registry/ipsec-
>> registry.xhtml#ipsec-registry-4
>> <http://www.iana.org/assignments/ipsec-registry/ipsec-
>> registry.xhtml#ipsec-registry-4>
>>
>> AES-GCM can be used for IKE protection with IKEv2, only:
>>
>> http://www.iana.org/assignments/ikev2-parameters/ikev2-
>> parameters.xhtml#ikev2-parameters-5
>> <http://www.iana.org/assignments/ikev2-parameters/ikev2-
>> parameters.xhtml#ikev2-parameters-5>
>>
>> Anyway, you profit from the speed advantage of AES-GCM mainly
>> with ESP because many payload packets must be processed.
>> AES-GCM for ESP can be negotiated both via IKEv1 and IKEv2.
>>
>> Regards
>>
>> Andreas
>>
>> On 08/05/2016 08:42 AM, Lakshmi Prasanna wrote:
>> > Hi Team,
>> >
>> > I am trying to use AES-GCM with IKEV1 and see that strongswan
>> does not
>> > send the encryption algorithm.
>> >
>> > Is there any plugin or knob to enable the same?
>> >
>> > Logs:
>> >
>> > --------
>> >
>> > received proposals: IKE:HMAC_SHA2_256_128/PRF_HMAC
>> _SHA2_256/MODP_2048
>> >
>> > configured
>> >
>> proposals:IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2
>> _256/MODP_2048
>> >
>> >
>> > Thanks and Regards,
>> >
>> > Lakshmi
>>
>> ============================================================
>> ==========
>> Andreas Steffen andreas.steffen at strongswan.org
>> <mailto:andreas.steffen at strongswan.org>
>> strongSwan - the Open Source VPN Solution! www.strongswan.org
>> <http://www.strongswan.org>
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[
>> ITA-HSR]==
>>
>>
>>
> --
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160805/9c246b1d/attachment.html>
More information about the Users
mailing list