Hi Jegathesh, the reason is that there are two separate daemons running with strongSwan 4.5.3, namely the legacy IKEv1 pluto daemon going back to the FreeS/WAN project which originally had only 3DES built in and AES was added as a patch some years later on, and the new IKEv2 charon daemon where usually the responder accepts the first suitable cipher the initiator proposes. Thus the cipher selection strategies of the two daemons are different due to historical reasons.
If you want consistent behaviour between IKEv1 and IKEv2, just upgrade to strongSwan 5.0.4 where a single charon daemon is responsible for both protocols. Regards Andreas On 07/23/2013 04:17 PM, jegathesh malaiyappan wrote: > Hi All, > > > > Strongswan: 4.5.3 > > > > Strongswan is selecting the different ESP encryption priority for > *IKEv1* and *IKEv2. * > > > > Wha is the reason for this? > > > Node A: (Initiator) > > ======= > > conn conn1 > > type=tunnel > > ike=aes128-sha1-modp1024,3des-sha1-modp1024! > > esp=aes128-sha1, 3des-sha1! > > > > Node B: (Responder) > > ======= > > conn conn1 > > type=tunnel > > ike=aes128-sha1-modp1024,3des-sha1-modp1024! > > esp=3des-sha1,aes128-sha1! > > > > <snip> IKEv1 O/P > > ip x s > > src 10.10.10.11 dst 10.10.10.10 > > proto esp spi 0xc39d392e reqid 16384 mode tunnel > > replay-window 0 flag nopmtudisc 20 > > auth hmac(sha1) 0xd64a2161bbcb15cc8214e92a7e741ee7f6a42354 > > enc cbc(*des3_ede*) > 0x49ef278b1f67549994c7d249a116a30214d30cee8970bdd9 > > src 10.10.10.10 dst 10.10.10.11 > > proto esp spi 0xc8ea85c3 reqid 16384 mode tunnel > > replay-window 0 flag nopmtudisc 20 > > auth hmac(sha1) 0x08c788a2d2ce7a589eff32d9247e83a6ebd51c68 > > enc cbc(*des3_ede*) > 0xc8114a2f0b28fe1f38a452798a63c786ba3fa909d5426e95 > > </snip> > > > > *IKEv1*: Strongswan is selecting the *3DES* encryption method. > > *IKEv2*: Strongswan is selecting the *AES* encryption method. > > > > Could anyone clarify me the reason different encryption method chosen > for *IKEv1* and *IKEv2*? > > > > Thanks. > > > > Regards, > > Jegathesh.M > > > > > > _______________________________________________ > Dev mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/dev > -- ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
