[Swan-dev] IKEv1 ike=aes preferring AES128 over AES256?
Andrew Cagney
andrew.cagney at gmail.com
Wed Feb 1 18:14:23 UTC 2017
For IKEv1, given a line like ike=aes (I suspect technically it is
something like phase1=aes), pluto proposes:
encr=aes, keylen=128,256
leading it to prefer 128 over 268 (look for the code following the
comment 'This odd FOR loop' in spdb_struct.c). However, if nothing at
all is specified then it proposes:
encr=aes,keylen=256
encr=aes,keylen=128
leading to a preference for 256 bit keys (look at spdb.c).
Should IKEv1 IKE be more consistent and always prefer the stronger 256
bit key length (i.e., the max key len)?
Andrew
(this would also make it consistent with IKEv2)
(ESP, with different code, would still prefer 128 bit keys)
More information about the Swan-dev
mailing list