[Swan-dev] defaults for ike= and esp= need updating?

Andrew Cagney andrew.cagney at gmail.com
Thu Dec 8 15:46:24 UTC 2016


Given something like ike=sha1 or ike=aes or ...  pluto uses the following
table to fill in the ENCR-PRF;MODP blanks:

   DH:OAKLEY_GROUP_MODP2048, OAKLEY_GROUP_MODP1536, OAKLEY_GROUP_MODP1024,
   ENCRYPT: OAKLEY_AES_CBC, OAKLEY_3DES_CBC,
   PRF: OAKLEY_SHA1, OAKLEY_MD5,  (it's actually a HMAC based on)

Similarly, for esp:

    encrypt=AES

and esp/ah:

    INTEG="MD5", "SHA1" (its actually a truncated HMAC based on ...)

do these need updating?

(my preference is to drop the magic defaults but I suspect that is too
radical)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20161208/3137da21/attachment.html>


More information about the Swan-dev mailing list