[Swan-dev] defaults for ike= and esp= need updating?
Tuomo Soini
tis at foobar.fi
Tue Dec 13 15:17:29 UTC 2016
On Thu, 8 Dec 2016 11:36:27 -0500 (EST)
Paul Wouters <paul at nohats.ca> wrote:
> On Thu, 8 Dec 2016, Andrew Cagney wrote:
>
> > Given something like ike=sha1 or ike=aes or ... pluto uses the
> > following table to fill in the ENCR-PRF;MODP blanks:
>
> It should basically act as a filter on the "default set".
>
> > DH:OAKLEY_GROUP_MODP2048, OAKLEY_GROUP_MODP1536,
> > OAKLEY_GROUP_MODP1024,
>
>
> Can this behaviour be tuned for IKEv1 or IKEv2? I would like IKEv2 to
> not have 1536/1024. And I would like IKEv1 to not have 1024.
Sorry. We can't drop modp1024 from default ikev1 proposals before
windows fixes their algo support to include modp2048.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
More information about the Swan-dev
mailing list