[Swan-dev] IKEv1 ike=aes preferring AES128 over AES256?

Andrew Cagney andrew.cagney at gmail.com
Wed Feb 1 18:14:23 UTC 2017

For IKEv1, given a line like ike=aes (I suspect technically it is
something like phase1=aes), pluto proposes:

   encr=aes, keylen=128,256

leading it to prefer 128 over 268 (look for the code following the
comment 'This odd FOR loop' in spdb_struct.c).  However, if nothing at
all is specified then it proposes:


leading to a preference for 256 bit keys (look at spdb.c).

Should IKEv1 IKE be more consistent and always prefer the stronger 256
bit key length (i.e., the max key len)?


(this would also make it consistent with IKEv2)
(ESP, with different code, would still prefer 128 bit keys)

More information about the Swan-dev mailing list