IKEv2 Cipher Suites

The keywords listed below can be used with the ike and esp directives in ipsec.conf or the proposals settings in swanctl.conf to define cipher suites.

IANA provides a complete list of algorithm identifiers registered for IKEv2.

Encryption Algorithms

Keyword Description IANA IKE ESP Built-in Plugins Broken
3des 168 bit 3DES-EDE-CBC 3 x o g a k des s
cast128 128 bit CAST-CBC 6 o g a m s
blowfish128 or blowfish 128 bit Blowfish-CBC 7 x o g a k blowfish s
blowfish192 192 bit Blowfish-CBC x o a k blowfish s
blowfish256 256 bit Blowfish-CBC x o a k blowfish s
null Null encryption 11 o k
aes128 or aes 128 bit AES-CBC 12 x o g a k aes
aes192 192 bit AES-CBC x o g a k aes
aes256 256 bit AES-CBC x o g a k aes
aes128ctr 128 bit AES-COUNTER 13 x o g a k aes, ctr
aes192ctr 192 bit AES-COUNTER x o g a k aes, ctr
aes256ctr 256 bit AES-COUNTER x o g a k aes, ctr
aes128ccm8 or aes128ccm64 128 bit AES-CCM with 64 bit ICV 14 x o g a k aes, ccm
aes192ccm8 or aes192ccm64 192 bit AES-CCM with 64 bit ICV x o g a k aes, ccm
aes256ccm8 or aes256ccm64 256 bit AES-CCM with 64 bit ICV x o g a k aes, ccm
aes128ccm12 or aes128ccm96 128 bit AES-CCM with 96 bit ICV 15 x o g a k aes, ccm
aes192ccm12 or aes192ccm96 192 bit AES-CCM with 96 bit ICV x o g a k aes, ccm
aes256ccm12 or aes256ccm96 256 bit AES-CCM with 96 bit ICV x o g a k aes, ccm
aes128ccm16 or aes128ccm128 128 bit AES-CCM with 128 bit ICV 16 x o g a k aes, ccm
aes192ccm16 or aes192ccm128 192 bit AES-CCM with 128 bit ICV x o g a k aes, ccm
aes256ccm16 or aes256ccm128 256 bit AES-CCM with 128 bit ICV x o g a k aes, ccm
aes128gcm8 or aes128gcm64 128 bit AES-GCM with 64 bit ICV 18 x o g a k aes, gcm
aes192gcm8 or aes192gcm64 192 bit AES-GCM with 64 bit ICV x o g a k aes, gcm
aes256gcm8 or aes256gcm64 256 bit AES-GCM with 64 bit ICV x o g a k aes, gcm
aes128gcm12 or aes128gcm96 128 bit AES-GCM with 96 bit ICV 19 x o g a k aes, gcm
aes192gcm12 or aes192gcm96 192 bit AES-GCM with 96 bit ICV x o g a k aes, gcm
aes256gcm12 or aes256gcm96 256 bit AES-GCM with 96 bit ICV x o g a k aes, gcm
aes128gcm16 or aes128gcm128 128 bit AES-GCM with 128 bit ICV 20 x o g a k aes, gcm
aes192gcm16 or aes192gcm128 192 bit AES-GCM with 128 bit ICV x o g a k aes, gcm
aes256gcm16 or aes256gcm128 256 bit AES-GCM with 128 bit ICV x o g a k aes, gcm
aes128gmac Null encryption with 128 bit AES-GMAC 21 - k
aes192gmac Null encryption with 192 bit AES-GMAC - k
aes256gmac Null encryption with 256 bit AES-GMAC - k
camellia128 or camellia 128 bit Camellia-CBC 23 o g a k
camellia192 192 bit Camellia-CBC o g a k
camellia256 256 bit Camellia-CBC o g a k
camellia128ctr 128 bit Camellia-COUNTER 24 o g a k
camellia192ctr 192 bit Camellia-COUNTER o g a k
camellia256ctr 256 bit Camellia-COUNTER o g a k
camellia128ccm8 or camellia128ccm64 128 bit Camellia-CCM with 64 bit ICV 25 o g a
camellia192ccm8 or camellia192ccm64 192 bit Camellia-CCM with 64 bit ICV o g a
camellia256ccm8 or camellia256ccm64 256 bit Camellia-CCM with 64 bit ICV o g a
camellia128ccm12 or camellia128ccm96 128 bit Camellia-CCM with 96 bit ICV 26 o g a
camellia192ccm12 or camellia192ccm96 192 bit Camellia-CCM with 96 bit ICV o g a
camellia256ccm12 or camellia256ccm96 256 bit Camellia-CCM with 96 bit ICV o g a
camellia128ccm16 or camellia128ccm128 128 bit Camellia-CCM with 128 bit ICV 27 o g a
camellia192ccm16 or camellia192ccm128 192 bit Camellia-CCM with 128 bit ICV o g a
camellia256ccm16 or camellia256ccm128 256 bit Camellia-CCM with 128 bit ICV o g a
chacha20poly1305 256 bit ChaCha20/Poly1305 with 128 bit ICV 28 x n chapoly
IKE support
x default built-in crypto plugin(s) (see separate column, chapoly since 5.3.3)
o OpenSSL crypto library (openssl plugin)
g Gcrypt crypto library (gcrypt plugin)
a AF_ALG userland crypto API for Linux 2.6.38 kernel or newer (af-alg plugin)
ESP support
k Linux 2.6+ kernel
m cast128 couldn't be used before 5.2.0 (see #633)
n Linux 4.2+ kernel
Broken
s broken by SWEET32

Integrity Algorithms

Keyword Description IANA IKE ESP/AH Length Built-in Plugins
md5 MD5 HMAC 1 x o a k 96 bit md5, hmac
md5_128 MD5_128 HMAC 6 m 128 bit
sha1 or sha SHA1 HMAC 2 x o a k 96 bit sha1, hmac
sha1_160 SHA1_160 HMAC 7 m 160 bit
aesxcbc AES XCBC 5 x a k 96 bit aes, xcbc
aescmac AES CMAC 8 x 96 bit aes, cmac
aes128gmac 128-bit AES-GMAC 9 q 128 bit
aes192gmac 192-bit AES-GMAC 10 q 128 bit
aes256gmac 256-bit AES-GMAC 11 q 128 bit
sha256 or sha2_256 SHA2_256_128 HMAC 12 x o a n 128 bit sha2, hmac
sha384 or sha2_384 SHA2_384_192 HMAC 13 x o a k 192 bit sha2, hmac
sha512 or sha2_512 SHA2_512_256 HMAC 14 x o a k 256 bit sha2, hmac
sha256_96 or sha2_256_96 SHA2_256_96 HMAC p n 96 bit
IKE support
x default built-in crypto plugin(s) (see separate column)
o OpenSSL crypto library (openssl plugin)
a AF_ALG userland crypto API for Linux 2.6.38 kernel or newer (af-alg plugin)
It's also possible to use the hash implementations provided by the gcrypt or openssl plugin together with the hmac plugin.
ESP/AH support
k Linux 2.6+ kernel
m requires a Linux 2.6.33 kernel or newer
q for AH, AES-GMAC is negotiated as encryption algorithm for ESP
n before version 2.6.33 the Linux kernel incorrectly used 96 bit truncation for SHA-256, sha256_96 is only supported for compatibility with such kernels
p strongSwan uses the value 1026 from the IANA private use range

Pseudo-random Functions

Since 5.0.2 PRF algorithms can optionally be defined in IKEv2 proposals.

In earlier releases, or if none are configured, the proposed integrity algorithms are mapped to PRF functions.

Keyword Description IANA IKE Built-in Plugins
prfmd5 MD5 PRF 1 x o a md5, hmac
prfsha1 SHA1 PRF 2 x o a sha1, hmac
prfaesxcbc AES XCBC PRF 4 x a aes, xcbc
prfaescmac AES CMAC PRF 8 x aes, cmac
prfsha256 SHA2_256 PRF 5 x o a sha2, hmac
prfsha384 SHA2_384 PRF 6 x o a sha2, hmac
prfsha512 SHA2_512 PRF 7 x o a sha2, hmac
IKE support
x default built-in crypto plugin(s) (see separate column)
o OpenSSL crypto library (openssl plugin, since 5.0.0)
a AF_ALG userland crypto API for Linux 2.6.38 kernel or newer (af-alg plugin)
It's also possible to use the hashers/crypters provided by the gcrypt or openssl plugin together with the hmac plugin.

Diffie Hellman Groups

Keyword DH Group Modulus Subgroup IKE Questionable Security
Regular Groups
modp768 1 768 bits m o g l
modp1024 2 1024 bits m o g l
modp1536 5 1536 bits m o g
modp2048 14 2048 bits m o g
modp3072 15 3072 bits m o g
modp4096 16 4096 bits m o g
modp6144 17 6144 bits m o g
modp8192 18 8192 bits m o g
Modulo Prime Groups with Prime Order Subgroup
modp1024s160 22 1024 bits 160 bits m o g x
modp2048s224 23 2048 bits 224 bits m o g x
modp2048s256 24 2048 bits 256 bits m o g x
NIST Elliptic Curve Groups
ecp192 25 192 bits o
ecp224 26 224 bits o
ecp256 19 256 bits o
ecp384 20 384 bits o
ecp521 21 521 bits o
Brainpool Elliptic Curve Groups
ecp224bp 27 224 bits o
ecp256bp 28 256 bits o
ecp384bp 29 384 bits o
ecp512bp 30 512 bits o
Elliptic Curve 25519
curve25519 31 256 bits c
IKE support
c curve25519 plugin
m GMP multi-precision library (gmp plugin)
o OpenSSL crypto library (openssl plugin)
g Gcrypt crypto library (gcrypt plugin)
Questionable security
x questionable source of the primes. Potentially trapdoored (https://eprint.iacr.org/2016/961).
l broken by LogJam

Post-Quantum Key Exchange using NTRU Encryption

Keyword DH Group Strength IKE
ntru112 1030 112 bits n
ntru128 1031 128 bits n
ntru192 1032 192 bits n
ntru256 1033 256 bits n
IKE support
n ntru plugin (includes ntru-crypto library)

Post-Quantum Key Exchange using NewHope

Keyword DH Group Strength IKE
newhope128 1040 128 bits n
IKE support
n newhope plugin

Since the Diffie-Hellman Group Transform IDs 1030..1033 and 1040 selected by the strongSwan project to designate the four NTRU key exchange strengths and the NewHope key exchange algorithm, respectively, were taken from the private-use range, the strongSwan vendor ID must be sent by the charon daemon. This can be enabled by the following statement in /etc/strongswan.conf:

charon {
  send_vendor_id = yes
}