[strongSwan] IKE Ciphers in relation to ESP Ciphers

Jafar Al-Gharaibeh jafar at atcorp.com
Tue Oct 10 21:43:23 CEST 2017

Is this possible to do in strongSwan currently ? I didn't find any 
documentation regarding this.  I might look into adding this capability 
if it doesn't currently exist.


On 10/5/2017 1:42 PM, Jafar Al-Gharaibeh wrote:
> Hi,
>   Is there a way to force  child SAs not have ciphers that are 
> stronger (in term of bits) than the the IKE SA that created them. In 
> other words, I want to be able to force IKE encryption to be always 
> stronger or equal than that of Child SAs. I know this can be achieved  
> by configuring IKE ciphers such that the lowest strength cipher is 
> stronger or equal   to that of any esp cipher, but that is very 
> limiting. Having the ability to do this at run time gives the peers 
> more flexibility and more ciphers options to pick from and only make 
> the decision per connection.
> Regards,
> Jafar

More information about the Users mailing list