Algorithm Proposals (Cipher Suites)

The keywords listed below can be used with the proposals and ah|esp_proposals settings in swanctl.conf to define IKE and ESP/AH proposals/cipher suites. IANA provides a complete list of algorithm identifiers registered for IKEv2.

General Proposal Format

The basic format of a proposal is simply a list of algorithm keywords separated by dashes. With IKEv2, multiple algorithms of the same kind can be specified in a single proposal, their order defines the preference in descending order.

IKEv1 only supports one algorithm of each kind per proposal. Additional algorithms are implicitly stripped. Use multiple proposals to offer different algorithm combinations for IKEv1.

For instance, the ESP proposal aes256gcm16-aes128gcm16 specifies two authenticated encryption algorithms, of which the former is preferred over the latter.

The following IKEv2 proposal additionally lists algorithms for the required PRF and key exchange methods:

aes256gcm16-aes192gcm16-prfsha384-prfsha256-ecp384-modp3072 (1)

aes256gcm16-prfsha384-ecp384-aes192gcm16-prfsha256-modp3072 (2)
1 aes256gcm16 is preferred over aes192gcm16, prfsha384 over prfsha256, and ecp384 over modp3072.
2 The order of algorithms of different kinds doesn’t matter, so this is the exact same proposal.

Multiple proposals may be configured (separated with commas in swanctl.conf). This is e.g. necessary in order to accept AEAD and classic encryption/integrity algorithms as they must not be used in the same proposal. The order of the proposals defines their preference.

Proposal Selection

When selecting a proposal as responder, based on the ones configured and those received from the initiator, strongSwan prefers its own configuration by default.

That is, the first configured proposal (and within it the first algorithm of each kind) that is accepted by the received proposals is selected and returned to the initiator.

Example of Default Proposal Selection
Configured: aes256gcm16-aes192gcm16-prfsha384-prfsha256-ecp384-modp3072
Received  : aes128-aes192-aes256-sha256-sha384-modp2048-modp3072-ecp384 (1)
            aes128gcm16-aes192gcm16-aes256gcm16-prfsha256-prfsha384-modp3072-ecp384 (2)
Selected  : aes256gcm16-prfsha384-ecp384 (3)
1 This proposal is rejected as it uses classic encryption/integrity algorithms instead of AEAD algorithms.
2 While aes192gcm16 is proposed earlier, the configured proposal prefers aes256gcm16, which is also contained in the received proposal and thus selected. Similarly for the other algorithms.
3 Because the initiator proposed modp3072 first, the received KE payload will also be for that algorithm. By selecting ecp384 as key exchange method, this will cause an INVALID_KE_PAYLOAD error in order to request a KE payload of the selected algorithm (i.e. this requires an additional roundtrip).

Depending on the use case, this behavior can be changed by disabling charon.prefer_configured_proposals in strongswan.conf. If this option is disabled, the first received proposal (and within it the first algorithm of each kind) that is accepted by the configured proposals is selected and returned to the initiator.

Example of Alternative Proposal Selection
Configured: aes256gcm16-aes192gcm16-prfsha384-prfsha256-ecp384-modp3072
Received  : aes128-aes192-aes256-sha256-sha384-modp2048-modp3072-ecp384 (1)
            aes128gcm16-aes192gcm16-aes256gcm16-prfsha256-prfsha384-modp3072-ecp384 (2)
Selected  : aes192gcm16-prfsha256-modp3072 (3)
1 Again, this proposal is rejected as it does not match the configured proposal at all.
2 aes192gcm16 is selected as it is the first proposed encryption algorithm that’s not rejected by the configured proposal (aes128gcm16 is not contained in it and skipped).
3 The selected key exchange method is the first one proposed by the initiator and, thus, likely matches the received KE payload.

IKE Support Options

The single-character options in the list below are used throughout this document to designate the third-party crypto libraries and/or the default strongSwan plugins that support a given crypto algorithm used by the IKE protocol.

Algorithms designated by s are strongly deprecated because they have become cryptographically weak and thus prone to attacks.

Option Plugin Since

s

Deprecated due to security issues

x

Default crypto plugin[s]

see Plugins columns below

b

Botan crypto library

botan

strongSwan 5.7.0

w

wolfSSL crypto library

wolfssl

strongSwan 5.8.0

o

OpenSSL crypto library

openssl

g

Gcrypt crypto library

gcrypt

a

AF_ALG userland Linux crypto API

af-alg

Linux kernel 2.6.38

ESP Support Options

The single-character options in the list below are used throughout this document to designate the Linux kernel versions that support a given crypto algorithm used by the ESP or AH IPsec protocols.

Algorithms designated by s are strongly deprecated because they have become cryptographically weak and thus prone to attacks.

Option Since

s

Deprecated due to security issues

k

Linux kernel 2.6

m

Linux kernel 2.6.33

n

Linux kernel 4.2

p

Compatibility with kernels incorrectly using 96 bit truncation for SHA256

Linux kernel < 2.6.33

q

for AH, AES-GMAC is negotiated as encryption algorithm for ESP

Encryption Algorithms

Keyword Description IANA IKE ESP Plugins

3des

168 bit 3DES-EDE-CBC

3

s x w o g a

s k

des

cast128

128 bit CAST-CBC

6

s o g a

s k

blowfish128 or blowfish

128 bit Blowfish-CBC

7

s x o g a

s k

blowfish

blowfish192

192 bit Blowfish-CBC

7

s x o a

s k

blowfish

blowfish256

256 bit Blowfish-CBC

7

s x o a

s k

blowfish

null

Null encryption

11

w o

k

aes128 or aes

128 bit AES-CBC

12

x b w o g a

k

aes

aes192

192 bit AES-CBC

12

x b w o g a

k

aes

aes256

256 bit AES-CBC

12

x b w o g a

k

aes

aes128ctr

128 bit AES-COUNTER

13

x w o g a

k

aes, ctr

aes192ctr

192 bit AES-COUNTER

13

x w o g a

k

aes, ctr

aes256ctr

256 bit AES-COUNTER

13

x w o g a

k

aes, ctr

camellia128 or camellia

128 bit Camellia-CBC

23

o g a

k

camellia192

192 bit Camellia-CBC

23

o g a

k

camellia256

256 bit Camellia-CBC

23

o g a

k

camellia128ctr

128 bit Camellia-COUNTER

24

o g a

k

camellia192ctr

192 bit Camellia-COUNTER

24

o g a

k

camellia256ctr

256 bit Camellia-COUNTER

24

o g a

k

Authenticated Encryption (AEAD) Algorithms

AEAD (Authenticated Encryption with Associated Data) algorithms can’t be combined with classic encryption ciphers in the same proposal. No separate integrity algorithm must be proposed and therefore Pseudo-Random Functions (PRFs) have to be included explicitly in such proposals.

Keyword Description IANA IKE ESP Plugins

aes128ccm8 or
aes128ccm64

128 bit AES-CCM with 64 bit ICV

14

x b w o g a

k

aes, ccm

aes192ccm8 or
aes192ccm64

192 bit AES-CCM with 64 bit ICV

14

x b w o g a

k

aes, ccm

aes256ccm8 or
aes256ccm64

256 bit AES-CCM with 64 bit ICV

14

x b w o g a

k

aes, ccm

aes128ccm12 or
aes128ccm96

128 bit AES-CCM with 96 bit ICV

15

x b w o g a

k

aes, ccm

aes192ccm12 or
aes192ccm96

192 bit AES-CCM with 96 bit ICV

15

x b w o g a

k

aes, ccm

aes256ccm12 or
aes256ccm96

256 bit AES-CCM with 96 bit ICV

15

x b w o g a

k

aes, ccm

aes128ccm16 or
aes128ccm128

128 bit AES-CCM with 128 bit ICV

16

x b w o g a

k

aes, ccm

aes192ccm16 or
aes192ccm128

192 bit AES-CCM with 128 bit ICV

16

x b w o g a

k

aes, ccm

aes256ccm16 or
aes256ccm128

256 bit AES-CCM with 128 bit ICV

16

x b w o g a

k

aes, ccm

aes128gcm8 or
aes128gcm64

128 bit AES-GCM with 64 bit ICV

18

x b w o g a

k

aes, gcm

aes192gcm8 or
aes192gcm64

192 bit AES-GCM with 64 bit ICV

18

x b w o g a

k

aes, gcm

aes256gcm8 or
aes256gcm64

256 bit AES-GCM with 64 bit ICV

18

x b w o g a

k

aes, gcm

aes128gcm12 or
aes128gcm96

128 bit AES-GCM with 96 bit ICV

19

x b w o g a

k

aes, gcm

aes192gcm12 or
aes192gcm96

192 bit AES-GCM with 96 bit ICV

19

x b w o g a

k

aes, gcm

aes256gcm12 or
aes256gcm96

256 bit AES-GCM with 96 bit ICV

19

x b w o g a

k

aes, gcm

aes128gcm16 or
aes128gcm128

128 bit AES-GCM with 128 bit ICV

20

x b w o g a

k

aes, gcm

aes192gcm16 or
aes192gcm128

192 bit AES-GCM with 128 bit ICV

20

x b w o g a

k

aes, gcm

aes256gcm16 or
aes256gcm128

256 bit AES-GCM with 128 bit ICV

20

x b w o g a

k

aes, gcm

aes128gmac

Null encryption with 128 bit AES-GMAC

21

k

aes192gmac

Null encryption with 192 bit AES-GMAC

21

k

aes256gmac

Null encryption with 256 bit AES-GMAC

21

k

camellia128ccm8 or
camellia128ccm64

128 bit Camellia-CCM with 64 bit ICV

25

o g a

camellia192ccm8 or
camellia192ccm64

192 bit Camellia-CCM with 64 bit ICV

25

o g a

camellia256ccm8 or
camellia256ccm64

256 bit Camellia-CCM with 64 bit ICV

25

o g a

camellia128ccm12 or
camellia128ccm96

128 bit Camellia-CCM with 96 bit ICV

26

o g a

camellia192ccm12 or
camellia192ccm96

192 bit Camellia-CCM with 96 bit ICV

26

o g a

camellia256ccm12 or
camellia256ccm96

256 bit Camellia-CCM with 96 bit ICV

26

o g a

camellia128ccm16 or
camellia128ccm128

128 bit Camellia-CCM with 128 bit ICV

27

o g a

camellia192ccm16 or
camellia192ccm128

192 bit Camellia-CCM with 128 bit ICV

27

o g a

camellia256ccm16 or
camellia256ccm128

256 bit Camellia-CCM with 128 bit ICV

27

o g a

chacha20poly1305

256 bit ChaCha20/Poly1305 with 128 bit ICV

28

x b w o

n

chapoly

Integrity Algorithms

Keyword Description IANA IKE ESP Plugins

md5

MD5 HMAC (96 bit)

1

s x w o a

s k

md5, hmac

md5_128

MD5_128 HMAC (128 bit)

6

s w

s m

sha1 or sha

SHA1 HMAC (96 bit)

2

s x b w o a

s k

sha1, hmac

sha1_160

SHA1_160 HMAC (160 bit)

7

s w

s m

aesxcbc

AES XCBC (96 bit)

5

x a

k

aes, xcbc

aescmac

AES CMAC (96 bit)

8

x

aes, cmac

aes128gmac

128-bit AES-GMAC (128 bit)

9

q

aes192gmac

192-bit AES-GMAC (128 bit)

10

q

aes256gmac

256-bit AES-GMAC (128 bit)

11

q

sha256 or sha2_256

SHA2_256_128 HMAC (128 bit)

12

x b w o a

m

sha2, hmac

sha384 or sha2_384

SHA2_384_192 HMAC (192 bit)

13

x b w o a

m

sha2, hmac

sha512 or sha2_512

SHA2_512_256 HMAC (256 bit)

14

x b w o a

m

sha2, hmac

sha256_96 or sha2_256_96

SHA2_256_96 HMAC (96 bit)

1024

p

It’s also possible to use the hash implementations provided by the gcrypt plugin together with the hmac plugin.

Pseudo-Random Functions

PRF algorithms can optionally be defined in IKEv2 proposals. In earlier releases or if no pseudo-random functions are configured, the proposed integrity algorithms are mapped to pseudo-random functions.

If AEAD ciphers are proposed there won’t be any integrity algorithms from which to derive PRFs. Thus PRF algorithms have to be configured explicitly.

Keyword Description IANA IKE Plugins

prfmd5

MD5 PRF

1

s x w o a

md5, hmac

prfsha1

SHA1 PRF

2

s x b w o a

sha1, hmac

prfaesxcbc

AES XCBC PRF

4

x a

aes, xcbc

prfaescmac

AES CMAC PRF

8

x

aes, cmac

prfsha256

SHA2_256 PRF

5

x b w o a

sha2, hmac

prfsha384

SHA2_384 PRF

6

x b w o a

sha2, hmac

prfsha512

SHA2_512 PRF

7

x b w o a

sha2, hmac

It’s also possible to use the hashers provided by the gcrypt plugin together with the hmac plugin.

Key Derivation Functions

Based on the negotiated PRF, IKEv2 derives key material in two separate steps (PRF/prf+). Since strongSwan 5.9.6, these are provided by plugins.

Base PRF IKE Plugins

MD5 PRF

s x w o

md5, hmac, kdf

SHA1 PRF

s x b w o

sha1, hmac, kdf

AES XCBC PRF

x

aes, xcbc, kdf

AES CMAC PRF

x

aes, xcbc, kdf

SHA2_256 PRF

x b w o

sha2, hmac, kdf

SHA2_384 PRF

x b w o

sha2, hmac, kdf

SHA2_512 PRF

x b w o

sha2, hmac, kdf

The botan, openssl and wolfssl plugins implement HMAC-based KDFs directly via their respective HKDF (RFC 5869) implementation.

The kdf plugin provides generic wrappers for any supported generic PRF.

Key Exchange Methods

Using Multiple Key Exchanges

With peers that support multiple IKEv2 key exchanges (RFC 9370), up to seven additional key exchanges may be negotiated. They can be configured by prefixing the algorithm keyword with keX_ (where X is a number between 1 and 7). So a total of eight key exchanges may be used for each SA.

For example, x25519-ke1_mlkem786 adds ML-KEM-786 as additional key exchange method after the initial key exchange with X25519. This works with any key exchange method, whether post-quantum or classic Diffie-Hellman.

As with any algorithm in proposals, peers have to agree on a KE method for each round unless no algorithms are defined by both or keX_none is configured to make a particular round explicitly optional (there can be gaps, so it’s technically fine to negotiate e.g. x25519-ke7_mlkem786).

Classic Diffie-Hellman Groups

Regular Modular Prime Groups

Keyword Modulus IANA IKE Plugins

modp768

768 bits

1

s x b w o g

gmp

modp1024

1024 bits

2

s x b w o g

gmp

modp1536

1536 bits

5

s x b w o g

gmp

modp2048

2048 bits

14

x b w o g

gmp

modp3072

3072 bits

15

x b w o g

gmp

modp4096

4096 bits

16

x b w o g

gmp

modp6144

6144 bits

17

x b o g

gmp

modp8192

8192 bits

18

x b o g

gmp

Modular Prime Groups with Prime Order Subgroup

Keyword Modulus Subgroup IANA IKE Plugins

modp1024s160

1024 bits

160 bits

22

s x b w o g

gmp

modp2048s224

2048 bits

224 bits

23

s x b w o g

gmp

modp2048s256

2048 bits

256 bits

24

s x b w o g

gmp

Elliptic Curve Diffie-Hellman Groups

NIST Elliptic Curve Groups

Keyword Prime Size IANA IKE Plugins

ecp192

192 bits

25

s w o

ecp224

224 bits

26

w o

ecp256

256 bits

19

b w o

ecp384

384 bits

20

b w o

ecp521

521 bits

21

b w o

Brainpool Elliptic Curve Groups

Keyword Modulus IANA IKE Plugins

ecp224bp

224 bits

27

o

ecp256bp

256 bits

28

b w o

ecp384bp

384 bits

29

b w o

ecp512bp

512 bits

30

b w o

Modern Elliptic Curve Groups

Keyword Modulus IANA IKE Plugins

curve25519 or x25519

256 bits

31

x b w o

curve25519

curve448 or x448

448 bits

32

w o

Post-Quantum Key Exchange Methods

The parameter set of a certain security strength category is claimed to be at least as secure as a generic block cipher with the prescribed key size or a generic hash with the prescribed output length.

Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM, FIPS 203)

Keyword Security IANA IKE Plugins

mlkem512

1 (128 bits)

35

x b w o

ml

mlkem768

3 (192 bits)

36

x b w o

ml

mlkem1024

5 (256 bits)

37

x b w o

ml

The openssl plugin currently only supports ML-KEM via AWS-LC, not via OpenSSL.

Signature Algorithms

Signature algorithms are not negotiated with proposals. But some of them are implemented only by certain plugins.

Algorithm Hash OID IKE Plugins

RSA PKCS#1 v1.5

MD5

1.2.840.113549.1.1.4

s x w o g

gmp, md5

RSA PKCS#1 v1.5

SHA-1

1.2.840.113549.1.1.5

s x b w o g

gmp, sha1

RSA PKCS#1 v1.5

SHA-2 224

1.2.840.113549.1.1.14

x b w o g

gmp, sha2

RSA PKCS#1 v1.5

SHA-2 256

1.2.840.113549.1.1.11

x b w o g

gmp, sha2

RSA PKCS#1 v1.5

SHA-2 384

1.2.840.113549.1.1.12

x b w o g

gmp, sha2

RSA PKCS#1 v1.5

SHA-2 512

1.2.840.113549.1.1.13

x b w o g

gmp, sha2

RSA PKCS#1 v1.5

SHA-3 224

2.16.840.1.101.3.4.3.13

x b w o

gmp, sha3

RSA PKCS#1 v1.5

SHA-3 256

2.16.840.1.101.3.4.3.14

x b w o

gmp, sha3

RSA PKCS#1 v1.5

SHA-3 384

2.16.840.1.101.3.4.3.15

x b w o

gmp, sha3

RSA PKCS#1 v1.5

SHA-3 512

2.16.840.1.101.3.4.3.16

x b w o

gmp, sha3

RSA PKCS#1 PSS

Various

1.2.840.113549.1.1.10

x b w o g

gmp, mgf1, …​

ECDSA

SHA-1

1.2.840.10045.4.1

b w o

ECDSA

SHA-2 256

1.2.840.10045.4.3.2

b w o

ECDSA

SHA-2 384

1.2.840.10045.4.3.3

b w o

ECDSA

SHA-2 512

1.2.840.10045.4.3.4

b w o

Ed25519

1.3.101.112

x b w o

curve25519, sha2

Ed448

1.3.101.113

w o

Commercial National Security Algorithm Suite

The Suite B cryptographic suites for IPsec (RFC 6379) have been superseded by the Commercial National Security Algorithm Suite (CNSA) suite which basically deprecates the 128-bit suite defined by Suite B. Its recommendations regarding algorithm parameters are as follows:

Encryption

AES with 256-bit key length (aes256gcm16 or aes256)

Key Exchange

ECDH with NIST P-384 curve (ecp384)
DH with at least 3072-bit modulus (modp3072 or higher)

Pseudo-Random Function/Integrity Protection

SHA-384 (e.g. prfsha384 or sha384 if not using AES in GCM mode)

Digital Signatures

ECDSA with NIST P-384 curve
RSA with at least 3072-bit modulus

Deprecated NSA Suite B

strongSwan does not provide direct keywords to configure the deprecated Suite B cryptographic suites defined in RFC 6379 whose status was set to historic in 2018. But Suite B algorithms may be configured explicitly using the following proposal strings (if supported by plugins and IPsec implementation):

ESP Integrity Protection and Confidentiality

Suite-B-GCM-128

IKE: aes128gcm16-prfsha256-ecp256
ESP: aes128gcm16-ecp256

Suite-B-GCM-256

IKE: aes256gcm16-prfsha384-ecp384
ESP: aes256gcm16-ecp384

ESP Integrity Protection Only

Suite-B-GMAC-128

IKE: aes128-sha256-ecp256
ESP: aes128gmac-ecp256

Suite-B-GMAC-256

IKE: aes256-sha384-ecp384
ESP: aes256gmac-ecp384

The proposal strings above enable PFS (Perfect Forward Secrecy). Omit the DH groups in the ESP proposals to disable PFS or configure two proposals, one with and one without DH group in order to let the peer decide whether PFS is used. This is what the strongSwan Android VPN client implements in its default ESP proposals.