[strongSwan] IKE Ciphers in relation to ESP Ciphers

Jafar Al-Gharaibeh jafar at atcorp.com
Thu Oct 5 20:42:07 CEST 2017


   Is there a way to force  child SAs not have ciphers that are stronger 
(in term of bits) than the the IKE SA that created them. In other words, 
I want to be able to force IKE encryption to be always stronger or equal 
than that of Child SAs. I know this can be achieved  by configuring IKE 
ciphers such that the lowest strength cipher is stronger or equal   to 
that of any esp cipher, but that is very limiting. Having the ability to 
do this at run time gives the peers more flexibility and more ciphers 
options to pick from and only make the decision per connection.


More information about the Users mailing list