I hope this is a quick question: It seems tedious to have to list each and every combination of allowed cipher, but exclude DES/3DES by using ike= and esp=.
I realize I could simply limit to, say, AES, by using something like: ike=aes128-md5-modp1536 esp=aes128-md5-modp1536 but I'd rather remain flexible... I've tried compiling strongswan with --disable-des, however 'ipsec listall' still lists DES and 3DES: 000 List of registered IKEv1 Algorithms: 000 000 encryption: BLOWFISH_CBC 3DES_CBC AES_CBC CAMELLIA_CBC 000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_SHA2_384 HMAC_SHA2_512 000 dh-group: MODP_1024 MODP_1536 MODP_2048 MODP_3072 MODP_4096 MODP_6144 MODP_8192 ECP_256 ECP_384 ECP_521 MODP_1024_160 MODP_2048_224 MODP_2048_256 ECP_192 ECP_224 000 000 List of registered ESP Algorithms: 000 000 encryption: DES_CBC 3DES_CBC CAST_CBC BLOWFISH_CBC NULL AES_CBC AES_CTR AES_CCM_8 AES_CCM_12 AES_CCM_16 AES_GCM_8 AES_GCM_12 AES_GCM_16 CAMELLIA_CBC AES_GMAC SERPENT_CBC TWOFISH_CBC 000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_RIPEMD AES_XCBC_96 NULL HMAC_SHA2_256_96 List of registered IKEv2 Algorithms: encryption: AES_CBC CAMELLIA_CBC 3DES_CBC RC5_CBC IDEA_CBC CAST_CBC BLOWFISH_CBC DES_CBC DES_ECB NULL integrity: AES_XCBC_96 HMAC_SHA1_96 HMAC_SHA1_128 HMAC_SHA1_160 HMAC_SHA2_256_128 HMAC_MD5_96 HMAC_MD5_128 HMAC_SHA2_384_192 HMAC_SHA2_512_256 hasher: HASH_SHA1 HASH_SHA224 HASH_SHA256 HASH_SHA384 HASH_SHA512 HASH_MD2 HASH_MD4 HASH_MD5 prf: PRF_KEYED_SHA1 PRF_FIPS_SHA1_160 PRF_AES128_XCBC PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5 PRF_HMAC_SHA2_384 PRF_HMAC_SHA2_512 dh-group: MODP_2048 MODP_2048_224 MODP_2048_256 MODP_1536 ECP_256 ECP_384 ECP_521 ECP_224 ECP_192 MODP_3072 MODP_4096 MODP_6144 MODP_8192 MODP_1024 MODP_1024_160 MODP_768 So am I just reading what's happening wrong, or what? Thanks, -- Troy Telford _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
