[strongSwan] IKE Ciphers in relation to ESP Ciphers

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Oct 11 16:39:31 CEST 2017


That is not possible natively. You would need to write a plugin for that.

Kind regards


On 10.10.2017 21:43, Jafar Al-Gharaibeh wrote:
> Is this possible to do in strongSwan currently ? I didn't find any documentation regarding this.  I might look into adding this capability if it doesn't currently exist.
> Thanks,
> Jafar
> On 10/5/2017 1:42 PM, Jafar Al-Gharaibeh wrote:
>> Hi,
>>   Is there a way to force  child SAs not have ciphers that are stronger (in term of bits) than the the IKE SA that created them. In other words, I want to be able to force IKE encryption to be always stronger or equal than that of Child SAs. I know this can be achieved  by configuring IKE ciphers such that the lowest strength cipher is stronger or equal   to that of any esp cipher, but that is very limiting. Having the ability to do this at run time gives the peers more flexibility and more ciphers options to pick from and only make the decision per connection.
>> Regards,
>> Jafar

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171011/f074649e/attachment.sig>

More information about the Users mailing list