Hi, That is not possible natively. You would need to write a plugin for that.
Kind regards Noel On 10.10.2017 21:43, Jafar Al-Gharaibeh wrote: > Is this possible to do in strongSwan currently ? I didn't find any > documentation regarding this. I might look into adding this capability if it > doesn't currently exist. > > Thanks, > Jafar > > > On 10/5/2017 1:42 PM, Jafar Al-Gharaibeh wrote: >> Hi, >> >> Is there a way to force child SAs not have ciphers that are stronger (in >> term of bits) than the the IKE SA that created them. In other words, I want >> to be able to force IKE encryption to be always stronger or equal than that >> of Child SAs. I know this can be achieved by configuring IKE ciphers such >> that the lowest strength cipher is stronger or equal to that of any esp >> cipher, but that is very limiting. Having the ability to do this at run time >> gives the peers more flexibility and more ciphers options to pick from and >> only make the decision per connection. >> >> Regards, >> Jafar >> >
signature.asc
Description: OpenPGP digital signature
