On Sun, 2010-10-03 at 13:54 +0200, Andreas Steffen wrote: Actually esp does not need an additional hash algorithm if AEAD > is used. Thus > > esp = aes256gcm128-sha512-modp2048! > > is actually wrong. The correct syntax is > > esp = aes256gcm128-modp2048! > > if you want perfect forward secrecy or just > > esp = aes256gcm128! > > without PFS during IPsec SA rekeying. With non-AEAD authentication > a data integrity algorithm *must* be defined, e.g. > > eps=aes256-sha512!
Ah thanks for that information,.. and I guess with the ike parameter it's the same. Could you please update the manpages/wiki pages to reflect this for other end-users like me?! ;) Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
