[strongSwan] IKE Ciphers in relation to ESP Ciphers
noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Oct 11 16:39:31 CEST 2017
That is not possible natively. You would need to write a plugin for that.
On 10.10.2017 21:43, Jafar Al-Gharaibeh wrote:
> Is this possible to do in strongSwan currently ? I didn't find any documentation regarding this. I might look into adding this capability if it doesn't currently exist.
> On 10/5/2017 1:42 PM, Jafar Al-Gharaibeh wrote:
>> Is there a way to force child SAs not have ciphers that are stronger (in term of bits) than the the IKE SA that created them. In other words, I want to be able to force IKE encryption to be always stronger or equal than that of Child SAs. I know this can be achieved by configuring IKE ciphers such that the lowest strength cipher is stronger or equal to that of any esp cipher, but that is very limiting. Having the ability to do this at run time gives the peers more flexibility and more ciphers options to pick from and only make the decision per connection.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the Users