[strongSwan] SHA1 vs SHA256

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Aug 4 12:25:56 CEST 2017


the remote peer probably uses the DRAFT variant of sha2-256, which uses 96 bit truncation. strongSwan uses the actual standardized variant that truncates to 128 bit.
You can switch between the two in the newest version of strongSwan

On 04.08.2017 12:23, Dusan Ilic wrote:
> Hello!
>
> I have a strange issue, with both settings below the tunnel goes up as it should, but only with SHA1 in ESP traffic goes through. When I ping the remote client with ESP SHA256 it times out, even though the tunnel reports as being up by Strongswan.
>
> Traffic working:
>
> ike=aes256-sha256-modp2048!
> esp=aes128-sha1-modp2048!
>
> Traffic not working:
>
> ike=aes256-sha256-modp2048!
> esp=aes256-sha256-modp2048!
>
> Below combo doesn't work either:
>
> ike=aes256-sha256-modp2048!
> esp=aes128-sha256-modp2048!
>
>
> Also, are above settings good? I'm having AES128 on ESP because with AES256 I loose too much througput. Do you have any suggestions for change?
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170804/73c97662/attachment.sig>


More information about the Users mailing list