Hi,
Is there a way to force child SAs not have ciphers that are stronger
(in term of bits) than the the IKE SA that created them. In other words,
I want to be able to force IKE encryption to be always stronger or equal
than that of Child SAs. I know this can be achieved by configuring IKE
ciphers such that the lowest strength cipher is stronger or equal to
that of any esp cipher, but that is very limiting. Having the ability to
do this at run time gives the peers more flexibility and more ciphers
options to pick from and only make the decision per connection.
Regards,
Jafar
- [strongSwan] IKE Ciphers in relation to ESP Ciphers Jafar Al-Gharaibeh
-
