Hello Dale, > but I did find that the crypto back end is based on libgcrypt.
We support different crypto backends in strongSwan. The default uses our own crypto routines provided directly by strongSwan. Alternatively you can use the OpenSSL or the libgcrypt based crypto backends. This can be configured by passing the appropriate options to the ./configure script. Additionally to what we use in userspace, you usually make use of the cryptographic API from the Linux kernel to process ESP packets. > does this mean that just by specifying the required encryption > algorithms with the appropriate key lengths for connections, my system > (currently 4.6.1) will be compliant with the NIST standard? Yes, the ipsec.conf "esp" and "ike" proposal keywords allow you to define the algorithms to use, man ipsec.conf for details. Also make sure to append a "!" to the value of these keywords; this will remove the fallback to other algorithms supported by your build. Public key strengths are defined by the keys you configure, or what your CA issues. In newer strongSwan releases, you can also define additional public key strength requirements with the left/rightauth options. The manpage of ipsec.conf has more details. Regards Martin _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
