For IKEv1, given a line like ike=aes (I suspect technically it is something like phase1=aes), pluto proposes:
encr=aes, keylen=128,256 leading it to prefer 128 over 268 (look for the code following the comment 'This odd FOR loop' in spdb_struct.c). However, if nothing at all is specified then it proposes: encr=aes,keylen=256 encr=aes,keylen=128 leading to a preference for 256 bit keys (look at spdb.c). Should IKEv1 IKE be more consistent and always prefer the stronger 256 bit key length (i.e., the max key len)? Andrew (this would also make it consistent with IKEv2) (ESP, with different code, would still prefer 128 bit keys) _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
