On Sun, Sep 05, 2010 at 16:49 +0000, Christian Weisgerber wrote: > Mike Belopuhov <m...@crypt.org.ru> wrote: > > > note that it defaults to AESGCM-256 (i did it this way because > > linux picks largest key). > > I don't understand that rationale. > > A side effect of this is that you now get different key sizes if > you specify "aes-gcm" in a manual SA (128) or an IKE rule (256). >
this is bad indeed. i propose the following: isakmpd always defaults to 256 if keylength is not specified. ipsecctl looses "aes-gcm" and "aes-gmac" specifications, so that you always have to specify key length. does that sound good?
