[strongSwan] SHA1 vs SHA256

Dusan Ilic dusan at comhem.se
Fri Aug 4 12:41:26 CEST 2017


Hi Noel,

One side is Strongswan 5.2.2 and the other is 5.5.2.
How do I switch?


Den 2017-08-04 kl. 12:25, skrev Noel Kuntze:
> the remote peer probably uses the DRAFT variant of sha2-256, which uses 96 bit truncation. strongSwan uses the actual standardized variant that truncates to 128 bit.
> You can switch between the two in the newest version of strongSwan
>
> On 04.08.2017 12:23, Dusan Ilic wrote:
>> Hello!
>>
>> I have a strange issue, with both settings below the tunnel goes up as it should, but only with SHA1 in ESP traffic goes through. When I ping the remote client with ESP SHA256 it times out, even though the tunnel reports as being up by Strongswan.
>>
>> Traffic working:
>>
>> ike=aes256-sha256-modp2048!
>> esp=aes128-sha1-modp2048!
>>
>> Traffic not working:
>>
>> ike=aes256-sha256-modp2048!
>> esp=aes256-sha256-modp2048!
>>
>> Below combo doesn't work either:
>>
>> ike=aes256-sha256-modp2048!
>> esp=aes128-sha256-modp2048!
>>
>>
>> Also, are above settings good? I'm having AES128 on ESP because with AES256 I loose too much througput. Do you have any suggestions for change?
>>
>>



More information about the Users mailing list