strongSwan

h1. IKEv1 Cipher Suites

The keywords listed below can be used with the _ike_ and _esp_ directives in [[ipsec.conf]] or the _proposals_ settings in [[swanctl.conf]] to define cipher suites.

IANA provides lists of algorithm identifiers for "IKEv1":http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml and "IPsec":https://www.iana.org/assignments/isakmp-registry.

h2. Encryption Algorithms

|_<. Keyword                     |_<. Description                       |_.IANA |_.IKE  |_.ESP|_. Built-in Plugins|_. Broken|

|*null*                          |Null encryption                       |=.11   |       |=.k  |||

|*aes128* or *aes*               |128 bit AES-CBC                       |/3=.7  |x o g a|=.k  |aes||

|*aes192*                        |192 bit AES-CBC                               |x o g a|=.k  |aes||

|*aes256*                        |256 bit AES-CBC                               |x o g a|=.k  |aes||

|*aes128ctr*                     |128 bit AES-COUNTER                   |/3=.13 |       |=.k  |||

|*aes192ctr*                     |192 bit AES-COUNTER                           |       |=.k  |||

|*aes256ctr*                     |256 bit AES-COUNTER                           |       |=.k  |||

|*aes128ccm8*  or *aes128ccm64*  |128 bit AES-CCM with  64 bit ICV      |/3=.14 |       |=.k  |||

|*aes192ccm8*  or *aes192ccm64*  |192 bit AES-CCM with  64 bit ICV              |       |=.k  |||

|*aes256ccm8*  or *aes256ccm64*  |256 bit AES-CCM with  64 bit ICV              |       |=.k  |||

|*aes128ccm12* or *aes128ccm96*  |128 bit AES-CCM with  96 bit ICV      |/3=.15 |       |=.k  |||

|*aes192ccm12* or *aes192ccm96*  |192 bit AES-CCM with  96 bit ICV              |       |=.k  |||

|*aes256ccm12* or *aes256ccm96*  |256 bit AES-CCM with  96 bit ICV              |       |=.k  |||

|*aes128ccm16* or *aes128ccm128* |128 bit AES-CCM with 128 bit ICV      |/3=.16 |       |=.k  |||

|*aes192ccm16* or *aes192ccm128* |192 bit AES-CCM with 128 bit ICV              |       |=.k  |||

|*aes256ccm16* or *aes256ccm128* |256 bit AES-CCM with 128 bit ICV              |       |=.k  |||

|*aes128gcm8*  or *aes128gcm64*  |128 bit AES-GCM with  64 bit ICV      |/3=.18 |       |=.k  |||

|*aes192gcm8*  or *aes192gcm64*  |192 bit AES-GCM with  64 bit ICV              |       |=.k  |||

|*aes256gcm8*  or *aes256gcm64*  |256 bit AES-GCM with  64 bit ICV              |       |=.k  |||

|*aes128gcm12* or *aes128gcm96*  |128 bit AES-GCM with  96 bit ICV      |/3=.19 |       |=.k  |||

|*aes192gcm12* or *aes192gcm96*  |192 bit AES-GCM with  96 bit ICV              |       |=.k  |||

|*aes256gcm12* or *aes256gcm96*  |256 bit AES-GCM with  96 bit ICV              |       |=.k  |||

|*aes128gcm16* or *aes128gcm128* |128 bit AES-GCM with 128 bit ICV      |/3=.20 |       |=.k  |||

|*aes192gcm16* or *aes192gcm128* |192 bit AES-GCM with 128 bit ICV              |       |=.k  |||

|*aes256gcm16* or *aes256gcm128* |256 bit AES-GCM with 128 bit ICV              |       |=.k  |||

|*aes128gmac*                    |Null encryption with 128 bit AES-GMAC |/3=.23 |       |=.k  |||

|*aes192gmac*                    |Null encryption with 192 bit AES-GMAC         |       |=.k  |||

|*aes256gmac*                    |Null encryption with 256 bit AES-GMAC         |       |=.k  |||

|*3des*                          |168 bit 3DES-EDE-CBC                  |=.5    |x o g a|=.k  |des|s|

|*blowfish128* or *blowfish*     |128 bit Blowfish-CBC                  |/3=.3  |x o g a|=.k  |blowfish|s|

|*blowfish192*                   |192 bit Blowfish-CBC                          |x o a  |=.k  |blowfish|s|

|*blowfish256*                   |256 bit Blowfish-CBC                          |x o a  |=.k  |blowfish|s|

|*camellia128* or *camellia*     |128 bit Camellia-CBC                  |/3=.8  |       |=.k  |||

|*camellia192*                   |192 bit Camellia-CBC                          |       |=.k  |||

|*camellia256*                   |256 bit Camellia-CBC                          |       |=.k  |||

|*serpent128* or *serpent*       |128 bit Serpent-CBC                   |/3=.252|>.g a  |=.k  |||

|*serpent192*                    |192 bit Serpent-CBC                           |>.g a  |=.k  |||

|*serpent256*                    |256 bit Serpent-CBC                           |>.g a  |=.k  |||

|*twofish128* or *twofish*       |128 bit Twofish-CBC                   |/3=.253|>.g a  |=.k  |||

|*twofish192*                    |192 bit Twofish-CBC                           |>.  a  |=.k  |||

|*twofish256*                    |256 bit Twofish-CBC                           |>.g a  |=.k  |||

|\7(level2). IKE support|

|\7(level3).*x* default built-in crypto plugin(s) (see separate column)

*o* OpenSSL crypto library (_openssl_ plugin)

*g* Gcrypt crypto library (_gcrypt_ plugin)

*a* AF_ALG userland crypto API for Linux 2.6.38 kernel or newer (_af-alg_ plugin)|

|\7(level2). ESP support|

|\7(level3).*k* Linux 2.6+ kernel|

|\7(level2). Broken|

|\7(level3).*s* broken by "SWEET32":https://sweet32.info/|

h2. Integrity Algorithms

|_<. Keyword                  |_<. Description   |_.IANA|_=.IKE   |_=.ESP/AH|_.Length |_.Built-in Plugins|

|*md5*                        |MD5 HMAC          |=.1   |=. x o a |=.k      |>. 96 bit|md5, hmac |

|*sha1* or *sha*              |SHA1 HMAC         |=.2   |=. x o a |=.k      |>. 96 bit|sha1, hmac|

|*sha256* or *sha2_256*       |SHA2_256_128 HMAC |=.5   |=. x o a |=.n      |>.128 bit|sha2, hmac|

|*sha384* or *sha2_384*       |SHA2_384_192 HMAC |=.6   |=. x o a |=.k      |>.192 bit|sha2, hmac|

|*sha512* or *sha2_512*       |SHA2_512_256 HMAC |=.7   |=. x o a |=.k      |>.256 bit|sha2, hmac|

|*sha256_96* or *sha2_256_96* |SHA2_256_96  HMAC |=.p   |=.       |=.n      |>. 96 bit|          |

|*aesxcbc*                    |AES XCBC          |=.9   |=.       |=.k      |>. 96 bit|          |

|*aes128gmac*                 |128-bit AES-GMAC  |=.11  |=.       |=.q      |>.128 bit|          |

|*aes192gmac*                 |192-bit AES-GMAC  |=.12  |=.       |=.q      |>.128 bit|          |

|*aes256gmac*                 |256-bit AES-GMAC  |=.13  |=.       |=.q      |>.128 bit|          |

|\7(level2). IKE support|

|\7(level3). *x* default built-in crypto plugin(s) (see separate column)

*o* OpenSSL crypto library (_openssl_ plugin)

*a* AF_ALG userland crypto API for Linux 2.6.38 kernel or newer (_af-alg_ plugin)

It's also possible to use the hash implementations provided by the _gcrypt_ or _openssl_ plugin together with the _hmac_ plugin.|

|\7(level2). ESP/AH support|

|\7(level3). *k* Linux 2.6+ kernel

*q* for AH, AES-GMAC is negotiated as encryption algorithm for ESP

*n* before version 2.6.33 the Linux kernel incorrectly used 96 bit truncation for SHA-256, _sha256_96_ is only supported for compatibility with such kernels

*p* strongSwan uses the value 252 from the IANA private use range|

h2. Diffie Hellman Groups

|_.Keyword      |_.DH Group|_.Modulus   |_.Subgroup |_.IKE|_.Questionable Security|

|\6(level2). Regular Groups                                                       |

|*modp768*      |=.  1     |>.768 bits  |           |m o g|                       |

|*modp1024*     |=.  2     |>.1024 bits |           |m o g|                       |

|*modp1536*     |=.  5     |>.1536 bits |           |m o g|                       |

|*modp2048*     |=. 14     |>.2048 bits |           |m o g|                       |

|*modp3072*     |=. 15     |>.3072 bits |           |m o g|                       |

|*modp4096*     |=. 16     |>.4096 bits |           |m o g|                       |

|*modp6144*     |=. 17     |>.6144 bits |           |m o g|                       |

|*modp8192*     |=. 18     |>.8192 bits |           |m o g|                       |

|\6(level2). Modulo Prime Groups with Prime Order Subgroup                        |

|*modp1024s160* |=. 22     |>.1024 bits |>.160 bits |m o g|x                      |

|*modp2048s224* |=. 23     |>.2048 bits |>.224 bits |m o g|                       |

|*modp2048s256* |=. 24     |>.2048 bits |>.256 bits |m o g|x                      |

|\6(level2). NIST Elliptic Curve Groups                                           |

|*ecp192*       |=. 25     |>.192 bits  |           |=.o  |                       |

|*ecp224*       |=. 26     |>.224 bits  |           |=.o  |                       |

|*ecp256*       |=. 19     |>.256 bits  |           |=.o  |                       |

|*ecp384*       |=. 20     |>.384 bits  |           |=.o  |                       |

|*ecp521*       |=. 21     |>.521 bits  |           |=.o  |                       |

|\6(level2). Brainpool Elliptic Curve Groups                                      |

|*ecp224bp*     |=. 27     |>.224 bits  |           |=.o  |                       |

|*ecp256bp*     |=. 28     |>.256 bits  |           |=.o  |                       |

|*ecp384bp*     |=. 29     |>.384 bits  |           |=.o  |                       |

|*ecp512bp*     |=. 30     |>.512 bits  |           |=.o  |                       |

|\6(level2). IKE support                                                         |

|\6(level3). *m* GMP multi-precision library (_gmp_ plugin)

*o* OpenSSL crypto library (_openssl_ plugin)

*g* Gcrypt crypto library (_gcrypt_ plugin)|

|\6(level2). Questionable security|

|\6(level3). *x* questionable source of the primes. Potentially trapdoored (https://eprint.iacr.org/2016/961).|

h3. Post-Quantum Key Exchange using NTRU Encryption

|Keyword    |DH Group |Strength   |IKE |

|*ntru112*  |=. 1030  |>.112 bits |=.n |

|*ntru128*  |=. 1031  |>.128 bits |=.n |

|*ntru192*  |=. 1032  |>.192 bits |=.n |

|*ntru256*  |=. 1033  |>.256 bits |=.n |

|\4(level2). IKE support|

|\4(level3). *n* _ntru_ plugin (includes "ntru-crypto":https://github.com/NTRUOpenSourceProject/ntru-crypto library)|

h3. Post-Quantum Key Exchange using NewHope

|_.Keyword  |_.DH Group|_.Strength |_.IKE|

|*newhope128*  |=. 1040   |>.128 bits |=.n  |

|\4(level2). IKE support|

|\4(level3). *n* _newhope_ plugin|

Since the Diffie-Hellman Group Transform IDs 1030..1033 and 1040 selected by the strongSwan project to designate the four NTRU key exchange strengths and the NewHope key exchange algorithm, respectively, were taken from the private-use range, the strongSwan vendor ID *must* be sent by the charon daemon. This can be enabled by the following statement in /etc/strongswan.conf:<pre>

charon {

  send_vendor_id = yes

}

</pre>