IKEv1 Cipher Suites

The keywords listed below can be used with the ike and esp directives in ipsec.conf or the proposals settings in swanctl.conf to define cipher suites.

IANA provides lists of algorithm identifiers for IKEv1 and IPsec.

Encryption Algorithms

Keyword Description IANA IKE ESP Built-in Plugins Broken
null Null encryption 11 k
aes128 or aes 128 bit AES-CBC 7 x o g a k aes
aes192 192 bit AES-CBC x o g a k aes
aes256 256 bit AES-CBC x o g a k aes
aes128ctr 128 bit AES-COUNTER 13 k
aes192ctr 192 bit AES-COUNTER k
aes256ctr 256 bit AES-COUNTER k
aes128ccm8 or aes128ccm64 128 bit AES-CCM with 64 bit ICV 14 k
aes192ccm8 or aes192ccm64 192 bit AES-CCM with 64 bit ICV k
aes256ccm8 or aes256ccm64 256 bit AES-CCM with 64 bit ICV k
aes128ccm12 or aes128ccm96 128 bit AES-CCM with 96 bit ICV 15 k
aes192ccm12 or aes192ccm96 192 bit AES-CCM with 96 bit ICV k
aes256ccm12 or aes256ccm96 256 bit AES-CCM with 96 bit ICV k
aes128ccm16 or aes128ccm128 128 bit AES-CCM with 128 bit ICV 16 k
aes192ccm16 or aes192ccm128 192 bit AES-CCM with 128 bit ICV k
aes256ccm16 or aes256ccm128 256 bit AES-CCM with 128 bit ICV k
aes128gcm8 or aes128gcm64 128 bit AES-GCM with 64 bit ICV 18 k
aes192gcm8 or aes192gcm64 192 bit AES-GCM with 64 bit ICV k
aes256gcm8 or aes256gcm64 256 bit AES-GCM with 64 bit ICV k
aes128gcm12 or aes128gcm96 128 bit AES-GCM with 96 bit ICV 19 k
aes192gcm12 or aes192gcm96 192 bit AES-GCM with 96 bit ICV k
aes256gcm12 or aes256gcm96 256 bit AES-GCM with 96 bit ICV k
aes128gcm16 or aes128gcm128 128 bit AES-GCM with 128 bit ICV 20 k
aes192gcm16 or aes192gcm128 192 bit AES-GCM with 128 bit ICV k
aes256gcm16 or aes256gcm128 256 bit AES-GCM with 128 bit ICV k
aes128gmac Null encryption with 128 bit AES-GMAC 23 k
aes192gmac Null encryption with 192 bit AES-GMAC k
aes256gmac Null encryption with 256 bit AES-GMAC k
3des 168 bit 3DES-EDE-CBC 5 x o g a k des s
blowfish128 or blowfish 128 bit Blowfish-CBC 3 x o g a k blowfish s
blowfish192 192 bit Blowfish-CBC x o a k blowfish s
blowfish256 256 bit Blowfish-CBC x o a k blowfish s
camellia128 or camellia 128 bit Camellia-CBC 8 k
camellia192 192 bit Camellia-CBC k
camellia256 256 bit Camellia-CBC k
serpent128 or serpent 128 bit Serpent-CBC 252 g a k
serpent192 192 bit Serpent-CBC g a k
serpent256 256 bit Serpent-CBC g a k
twofish128 or twofish 128 bit Twofish-CBC 253 g a k
twofish192 192 bit Twofish-CBC a k
twofish256 256 bit Twofish-CBC g a k
IKE support
x default built-in crypto plugin(s) (see separate column)
o OpenSSL crypto library (openssl plugin)
g Gcrypt crypto library (gcrypt plugin)
a AF_ALG userland crypto API for Linux 2.6.38 kernel or newer (af-alg plugin)
ESP support
k Linux 2.6+ kernel
Broken
s broken by SWEET32

Integrity Algorithms

Keyword Description IANA IKE ESP/AH Length Built-in Plugins
md5 MD5 HMAC 1 x o a k 96 bit md5, hmac
sha1 or sha SHA1 HMAC 2 x o a k 96 bit sha1, hmac
sha256 or sha2_256 SHA2_256_128 HMAC 5 x o a n 128 bit sha2, hmac
sha384 or sha2_384 SHA2_384_192 HMAC 6 x o a k 192 bit sha2, hmac
sha512 or sha2_512 SHA2_512_256 HMAC 7 x o a k 256 bit sha2, hmac
sha256_96 or sha2_256_96 SHA2_256_96 HMAC p n 96 bit
aesxcbc AES XCBC 9 k 96 bit
aes128gmac 128-bit AES-GMAC 11 q 128 bit
aes192gmac 192-bit AES-GMAC 12 q 128 bit
aes256gmac 256-bit AES-GMAC 13 q 128 bit
IKE support
x default built-in crypto plugin(s) (see separate column)
o OpenSSL crypto library (openssl plugin)
a AF_ALG userland crypto API for Linux 2.6.38 kernel or newer (af-alg plugin)
It's also possible to use the hash implementations provided by the gcrypt or openssl plugin together with the hmac plugin.
ESP/AH support
k Linux 2.6+ kernel
q for AH, AES-GMAC is negotiated as encryption algorithm for ESP
n before version 2.6.33 the Linux kernel incorrectly used 96 bit truncation for SHA-256, sha256_96 is only supported for compatibility with such kernels
p strongSwan uses the value 252 from the IANA private use range

Diffie Hellman Groups

Keyword DH Group Modulus Subgroup IKE Questionable Security
Regular Groups
modp768 1 768 bits m o g l
modp1024 2 1024 bits m o g l
modp1536 5 1536 bits m o g
modp2048 14 2048 bits m o g
modp3072 15 3072 bits m o g
modp4096 16 4096 bits m o g
modp6144 17 6144 bits m o g
modp8192 18 8192 bits m o g
Modulo Prime Groups with Prime Order Subgroup
modp1024s160 22 1024 bits 160 bits m o g x
modp2048s224 23 2048 bits 224 bits m o g x
modp2048s256 24 2048 bits 256 bits m o g x
NIST Elliptic Curve Groups
ecp192 25 192 bits o
ecp224 26 224 bits o
ecp256 19 256 bits o
ecp384 20 384 bits o
ecp521 21 521 bits o
Brainpool Elliptic Curve Groups
ecp224bp 27 224 bits o
ecp256bp 28 256 bits o
ecp384bp 29 384 bits o
ecp512bp 30 512 bits o
Elliptic Curve 25519
curve25519 31 256 bits c
IKE support
c curve25519 plugin
m GMP multi-precision library (gmp plugin)
o OpenSSL crypto library (openssl plugin)
g Gcrypt crypto library (gcrypt plugin)
Questionable security
x questionable source of the primes. Potentially trapdoored (https://eprint.iacr.org/2016/961).
l broken by LogJam

Post-Quantum Key Exchange using NTRU Encryption

Keyword DH Group Strength IKE
ntru112 1030 112 bits n
ntru128 1031 128 bits n
ntru192 1032 192 bits n
ntru256 1033 256 bits n
IKE support
n ntru plugin (includes ntru-crypto library)

Post-Quantum Key Exchange using NewHope

Keyword DH Group Strength IKE
newhope128 1040 128 bits n
IKE support
n newhope plugin

Since the Diffie-Hellman Group Transform IDs 1030..1033 and 1040 selected by the strongSwan project to designate the four NTRU key exchange strengths and the NewHope key exchange algorithm, respectively, were taken from the private-use range, the strongSwan vendor ID must be sent by the charon daemon. This can be enabled by the following statement in /etc/strongswan.conf:

charon {
  send_vendor_id = yes
}