History

IKEv1 Cipher Suites » History » Version 12

« Previous - Version 12/31 (diff) - Next » - Current version
Tobias Brunner, 28.02.2012 10:33
integrity algorithms updated

IKEv1 Cipher Suites¶

The keywords listed below can be used with the ike and esp directives in ipsec.conf to define cipher suites.

Encryption Algorithms¶

Keyword	Description	IKE	ESP
null	Null encryption		k
aes128 or aes	128 bit AES-CBC	x o g a	k
aes192	192 bit AES-CBC	x o g a	k
aes256	256 bit AES-CBC	x o g a	k
aes128ctr	128 bit AES-COUNTER		k
aes192ctr	192 bit AES-COUNTER		k
aes256ctr	256 bit AES-COUNTER		k
aes128ccm8 or aes128ccm64	128 bit AES-CCM with 64 bit ICV		k
aes128ccm12 or aes128ccm96	128 bit AES-CCM with 96 bit ICV		k
aes128ccm16 or aes128ccm128	128 bit AES-CCM with 128 bit ICV		k
aes192ccm8 or aes192ccm64	192 bit AES-CCM with 64 bit ICV		k
aes192ccm12 or aes192ccm96	192 bit AES-CCM with 96 bit ICV		k
aes192ccm16 or aes192ccm128	192 bit AES-CCM with 128 bit ICV		k
aes256ccm8 or aes256ccm64	256 bit AES-CCM with 64 bit ICV		k
aes256ccm12 or aes256ccm96	256 bit AES-CCM with 96 bit ICV		k
aes256ccm16 or aes256ccm128	256 bit AES-CCM with 128 bit ICV		k
aes128gcm8 or aes128gcm64	128 bit AES-GCM with 64 bit ICV		k
aes128gcm12 or aes128gcm96	128 bit AES-GCM with 96 bit ICV		k
aes128gcm16 or aes128gcm128	128 bit AES-GCM with 128 bit ICV		k
aes192gcm8 or aes192gcm64	192 bit AES-GCM with 64 bit ICV		k
aes192gcm12 or aes192gcm96	192 bit AES-GCM with 96 bit ICV		k
aes192gcm16 or aes192gcm128	192 bit AES-GCM with 128 bit ICV		k
aes256gcm8 or aes256gcm64	256 bit AES-GCM with 64 bit ICV		k
aes256gcm12 or aes256gcm96	256 bit AES-GCM with 96 bit ICV		k
aes256gcm16 or aes256gcm128	256 bit AES-GCM with 128 bit ICV		k
aes128gmac	Null encryption with 128 bit AES-GMAC		k
aes192gmac	Null encryption with 192 bit AES-GMAC		k
aes256gmac	Null encryption with 256 bit AES-GMAC		k
3des	168 bit 3DES-EDE-CBC	x o g a	k
blowfish128 or blowfish	128 bit Blowfish-CBC	x o g a	k
blowfish192	192 bit Blowfish-CBC	x o a	k
blowfish256	256 bit Blowfish-CBC	x o a	k
camellia128 or camellia	128 bit Camellia-CBC		k
camellia192	192 bit Camellia-CBC		k
camellia256	256 bit Camellia-CBC		k
serpent128 or serpent	128 bit Serpent-CBC	g a	k
serpent192	192 bit Serpent-CBC	g a	k
serpent256	256 bit Serpent-CBC	g a	k
twofish128 or twofish	128 bit Twofish-CBC	g a	k
twofish192	192 bit Twofish-CBC	a	k
twofish256	256 bit Twofish-CBC	g a	k

x default built-in crypto library
o OpenSSL crypto library
g Gcrypt crypto library
a AF_ALG userland crypto API for Linux 2.6.38 kernel or newer
k Linux 2.6 kernel

Integrity Algorithms¶

Keyword	Description	IKE	ESP	Info
md5	MD5 HMAC	96 bit	96 bit
sha1 or sha	SHA1 HMAC	96 bit	96 bit
aesxcbc	AES XCBC	n/a	96 bit
sha2_256 or sha256	SHA2_256_128 HMAC	128 bit	128 bit	t
sha2_384 or sha384	SHA2_384_192 HMAC	192 bit	192 bit
sha2_512 or sha512	SHA2_512_256 HMAC	256 bit	256 bit
sha2_256_96 or sha256_96	SHA2_256_96 HMAC	n/a	96 bit	p t

p strongSwan uses the value 252 from the IANA private use range
t before version 2.6.33 the Linux kernel incorrectly used 96 bit truncation for SHA-256

Diffie Hellman Groups¶

Modulo Prime Groups¶

Keyword	DH Group	Modulus	IKE
modp768	1	768 bits	m o g
modp1024	2	1024 bits	m o g
modp1536	5	1536 bits	m o g
modp2048	14	2048 bits	m o g
modp3072	15	3072 bits	m o g
modp4096	16	4096 bits	m o g
modp6144	17	6144 bits	m o g
modp8192	18	8192 bits	m o g

Modulo Prime Groups with Prime Order Subgroup¶

Keyword	DH Group	Modulus	Subgroup	IKE
modp1024s160	22	1024 bits	160 bits	m o g
modp2048s224	23	2048 bits	224 bits	m o g
modp2048s256	24	2048 bits	256 bits	m o g

Elliptic Curve Groups¶

Keyword	DH Group	Modulus	IKE
ecp192	25	192 bits	o
ecp224	26	224 bits	o
ecp256	19	256 bits	o
ecp384	20	384 bits	o
ecp521	21	521 bits	o

m GMP multi-precision library
o OpenSSL crypto library
g Gcrypt crypto library

Files (0)

Project

General

Profile

strongSwan

Documentation¶

Resources¶

Wiki