ipsec.conf and AES 256

[Mitja Muženič]

As far as I can tell, currently in ipsec.conf there is no way to use AES
with KEY_LENGHT=256. Is anybody working on adding this? Otherwise I might
try it when the time permits. 

I'm thinking that isakmpd should first learn about a new default transform,
let's say AES256 - then adding that into ipsecctl/ipsec.conf should be
pretty much trivial. 

The other route is not to add this new default transform to isakmpd, but to
have ipsecctl generate a config with a non-default transform - this does not
touch isakmpd at all, but is less than trivial in ipsecctl.

Thoughts, anyone?

Mitja

Re: ipsec.conf and AES 256

[Hans-Joerg Hoexer]

On Mon, Nov 19, 2007 at 12:26:16PM +0100, Mitja Mu?eni? wrote:
> As far as I can tell, currently in ipsec.conf there is no way to use AES
> with KEY_LENGHT=256. Is anybody working on adding this? Otherwise I might
> try it when the time permits. 
> 
> I'm thinking that isakmpd should first learn about a new default transform,
> let's say AES256 - then adding that into ipsecctl/ipsec.conf should be
> pretty much trivial. 

this sounds like a reasonable approach to me.

> 
> The other route is not to add this new default transform to isakmpd, but to
> have ipsecctl generate a config with a non-default transform - this does not
> touch isakmpd at all, but is less than trivial in ipsecctl.
> 
> Thoughts, anyone?
> 
> Mitja