MyNixOS website logo
option

services.strongswan-swanctl.swanctl.connections.<name>.proposals

A proposal is a set of algorithms. For non-AEAD IKE proposals, this includes an encryption algorithm, an integrity algorithm, a pseudo-random function and a key exchange method. For AEAD proposals, instead of encryption and integrity algorithms, a combined mode algorithm is used.

With peers that support multiple IKEv2 key exchanges (RFC 9370), up to seven additional key exchanges may be negotiated. They can be configured by prefixing the algorithm keyword with keX_ (where X is a number between 1 and 7).

For IKEv2, multiple algorithms of the same kind can be specified in a single proposal, from which one gets selected. For IKEv1, only one algorithm per kind is allowed per proposal, more algorithms get implicitly stripped. Use multiple proposals to offer different algorithm combinations with IKEv1.

Algorithm keywords get separated using dashes. The special value default forms a default proposal of supported algorithms considered safe, and is usually a good choice for interoperability.

StrongSwan default: ["default"]

Declarations
Type
null or (list of string)
Default
null