Thanks a lot for the quick reply Andreas.
Rgds,
Lakshmi
On Wed, Sep 21, 2016 at 6:35 PM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:
> Hi Lakshmi,
>
> no, IKEv1 does not support SHA2_256_96 for ESP. Since the corresponding
> ESP integrity algorithm is in the private identifier
Hi Andreas,
Does IKEv1 support SHA_256_96 for ESP ? I see that strongswan does not send
out the integrity algorithm when configured as SHA-256_96 for IKEv1.
However it works for IKEv2.
Thanks,
Lakshmi
On Fri, Aug 12, 2016 at 9:26 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:
>
Hi Lakshmi,
SHA-256 was implemented incorrectly for ESP with a 96 bit instead
of the standard 128 bit truncation in Linux kernels older than
2.6.33.
Workarounds:
1) Update to a kernel >= 2.6.33 (2.6.21 is ancient!)
2) If you run strongSwan on both VPN end points you can select the