Thank you for the reply Andreas. Can you please validate my understanding?
Valid combo: ------------------- keyexchange=ikev1 ike=aes256-sha256-modp2048! esp=aes256gcm128-sha256! Invalid combo: -------------------- keyexchange=ikev1 ike=aes256gcm128-sha256-modp2048! esp=aes256gcm128-sha256! Thanks, Lakshmi On Fri, Aug 5, 2016 at 1:49 PM, Andreas Steffen < [email protected]> wrote: > Hi Lakshmi, > > The old IKEv1 protocol does not support AES-GCM for IKE since > IANA hasn't assigned any encryption transform numbers: > > http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec- > registry-4 > > AES-GCM can be used for IKE protection with IKEv2, only: > > http://www.iana.org/assignments/ikev2-parameters/ > ikev2-parameters.xhtml#ikev2-parameters-5 > > Anyway, you profit from the speed advantage of AES-GCM mainly > with ESP because many payload packets must be processed. > AES-GCM for ESP can be negotiated both via IKEv1 and IKEv2. > > Regards > > Andreas > > On 08/05/2016 08:42 AM, Lakshmi Prasanna wrote: > > Hi Team, > > > > I am trying to use AES-GCM with IKEV1 and see that strongswan does not > > send the encryption algorithm. > > > > Is there any plugin or knob to enable the same? > > > > Logs: > > > > -------- > > > > received proposals: IKE:HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 > > > > configured > > proposals:IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_ > SHA2_256/MODP_2048 > > > > > > Thanks and Regards, > > > > Lakshmi > > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Open Source VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
