As far as I can tell, currently in ipsec.conf there is no way to use AES with KEY_LENGHT=256. Is anybody working on adding this? Otherwise I might try it when the time permits.
I'm thinking that isakmpd should first learn about a new default transform, let's say AES256 - then adding that into ipsecctl/ipsec.conf should be pretty much trivial. The other route is not to add this new default transform to isakmpd, but to have ipsecctl generate a config with a non-default transform - this does not touch isakmpd at all, but is less than trivial in ipsecctl. Thoughts, anyone? Mitja