[strongSwan] nonce Length

Andreas Steffen andreas.steffen at strongswan.org
Thu Sep 14 08:56:38 CEST 2017

Hi Jafar,

section 2.10 of IKEv2 RFC 7296 [1] states that

   Nonces used in IKEv2
   MUST be randomly chosen, MUST be at least 128 bits in size, and MUST
   be at least half the key size of the negotiated pseudorandom function
   (PRF).  However, the initiator chooses the nonce before the outcome
   of the negotiation is known.  Because of that, the nonce has to be
   long enough for all the PRFs being proposed.

This is why strongSwan generates nonces with a constant size of 32 bytes
(256 bits) as defined in nonce_payloads.h [2]

   * Nonce size in bytes for nonces sending to other peer.
  #define NONCE_SIZE 32

Best regards



On 13.09.2017 20:37, Jafar Al-Gharaibeh wrote:
> Hi,
>    What is the default length of the nonce used  to establish and rekey 
> IKE/Child SAs?  is that based on the DH group? and is the length
> configurable?
> Thanks,
> Jafar

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list