On 12/10/2015 11:34 AM, Andreas Steffen wrote:
if you know the options on both sides then one set of options
is sufficient. If the connection setup works the first time
around then it will always work. If you are not sure what
the other side supports then you have to define several
options with the preferred option up front and the most common
option e.g. (aes128-sha1-modp2048) at the very end.
Thanks for confirming that, Andreas. My suspicion was that would be the
case, but I wanted to confirm.
By the way
ike=aes256-sha2_256-ecp512bp
does not give you constant 256 bit security. The correct choice is
ike=aes256-sha512-ecp512bp!
Excellent, this is great information!
Thank you,
tom
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
