[Swan-dev] defaults for ike= and esp= need updating?
Andrew Cagney
andrew.cagney at gmail.com
Thu Dec 8 15:46:24 UTC 2016
Given something like ike=sha1 or ike=aes or ... pluto uses the following
table to fill in the ENCR-PRF;MODP blanks:
DH:OAKLEY_GROUP_MODP2048, OAKLEY_GROUP_MODP1536, OAKLEY_GROUP_MODP1024,
ENCRYPT: OAKLEY_AES_CBC, OAKLEY_3DES_CBC,
PRF: OAKLEY_SHA1, OAKLEY_MD5, (it's actually a HMAC based on)
Similarly, for esp:
encrypt=AES
and esp/ah:
INTEG="MD5", "SHA1" (its actually a truncated HMAC based on ...)
do these need updating?
(my preference is to drop the magic defaults but I suspect that is too
radical)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20161208/3137da21/attachment.html>
More information about the Swan-dev
mailing list