Is this possible to do in strongSwan currently ? I didn't find any
documentation regarding this. I might look into adding this capability
if it doesn't currently exist.
Thanks,
Jafar
On 10/5/2017 1:42 PM, Jafar Al-Gharaibeh wrote:
Hi,
Is there a way to force child SAs not have ciphers that are
stronger (in term of bits) than the the IKE SA that created them. In
other words, I want to be able to force IKE encryption to be always
stronger or equal than that of Child SAs. I know this can be achieved
by configuring IKE ciphers such that the lowest strength cipher is
stronger or equal to that of any esp cipher, but that is very
limiting. Having the ability to do this at run time gives the peers
more flexibility and more ciphers options to pick from and only make
the decision per connection.
Regards,
Jafar
