Written on May 8, 2016
IPsec is (as far as most people know) a secure (you aren’t using a PSK, I hope) - yet complex - way to secure IP traffic. It supports IP traffic confidentiality and integrity and can be used to build a VPN. strongSwan is an IPsec implementation available for Linux that I’ve been using for over a year now.
strongSwan supports a variety of encryption algorithms, such as Blowfish-CBC, AES-GCM, AES-CCM, and ChaCha20. Integrity algorithms include AES-GMAC and the SHA-2 family. Diffie Helman groups include the usual suspects (1024 up to 8192 bit moduluses (moduli?)), as well as some NIST and Brainpool elliptic curves (none of which are “SafeCurves”, though). There is even support for the NTRU crypto system, which is has not (yet) been shown to be vulnerable to quantum computing attacks.
AES-GCM and AES-CCM are both federal standards that support Authenticated Encryption with Associated Data (AEAD). One of the benefits of GCM over CCM is that, in 2010 Intel added an instruction to their chips to assist in GCM computation. Naturally AMD followed their lead, so performance of GCM is significantly better than CCM if you have the hardware to support it.
Below are the critical details from my ipsec.conf file that I have in my VPN server, which I connect my Android phone to:
# ipsec.conf - strongSwan IPsec configuration file config setup charondebug="ike 2, cfg 2" conn %default left=22.214.171.124 # my server's IP address goes here auto=add leftcert=server_cert.pem conn rw leftfirewall=yes leftsubnet=0.0.0.0/0 right=%any rightcert=client_cert.pem rightsourceip=10.11.12.13 ike = aes256gcm128-sha512-modp8192! esp = aes256gcm128-sha512-modp8192!
Ooh! Another cool thing about strongSwan - you can use it with smartcards, including the good old Feitian PKI card.