Supported Protocols and Cryptographic algorithms.



Rockhopper supports only IKEv2 (Internet Key Exchange version 2) and ESP (Encapsulating Security Payload).


- IKE SA's default SA proposals:

By default, Rockhopper(initiator) sends the following SA proposal including all supported security algorithms to establish an IKE SA.

Proposal No. ENCR PRF INTEG DH
1 3DES HMAC_SHA2_512 HMAC_SHA2_512_256 Group14(MODP2048)
AES_CBC_256 HMAC_SHA2_384 HMAC_SHA2_384_192 Group5(MODP1536)
AES_CBC_192 HMAC_SHA2_256 HMAC_SHA2_256_128 Group2(MODP1024)
AES_CBC_128 HMAC_SHA1 HMAC_SHA1_96
HMAC_MD5 HMAC_MD5_96

By default, Rockhopper (responder) replies a proposal including AES_CBC_256, HMAC_SHA2_512, HMAC_SHA2_512_256 and Group14. You can change the settings from the viewpoint of a machine's load or packets' max length, for example.


- Child SA's default SA proposals:

By default, Rockhopper(initiator) sends the following SA proposal including all supported security algorithms to establish a Child SA.

Proposal No. ENCR INTEG ESN
1 3DES HMAC_SHA2_512_256 Enabled.
AES_CBC_256 HMAC_SHA2_384_192 Disabled.
AES_CBC_192 HMAC_SHA2_256_128
AES_CBC_128 HMAC_SHA1_96
HMAC_MD5_96

By default, Rockhopper (responder) replies a proposal including AES_CBC_256, HMAC_SHA2_512_256 and ESN(Enable). You can change the settings from the viewpoint of a machine's load or packets' max length, for example.


- Child SA's default traffic selectors:

By default, Rockhopper(initiator) sends the following traffic selectors. You can narrow them down by adding traffic selector settings.

Side Protocol Port range Address range
Initiator (TSi) Any(0) Any(0 -- 65535) Any(IPv4: 0.0.0.0 - 255.255.255.255)
Initiator (TSi) Any(0) Any(0 -- 65535) Any(IPv6: :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
Responder (TSr) Any(0) Any(0 -- 65535) Any(IPv4: 0.0.0.0 - 255.255.255.255)
Responder (TSr) Any(0) Any(0 -- 65535) Any(IPv6: :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)

By default, Rockhopper(responder) doesn't narrow down the above traffic selectors if an initiator peer is not a remote access client.


- Attributes of the remote configuration(Configuration(CP) payload):


Attribute Supported by initiator
(Remote access client) 		Supported by responder
(Remote configuration server)
INTERNAL_IP4_ADDRESS
(VPN interface's address) 		Yes. Yes.
INTERNAL_IP4_NETMASK
(VPN interface's netmask) 		Yes. Yes.
INTERNAL_IP4_SUBNET
(Split tunneling, internal routing entries) 		Yes. Yes.
INTERNAL_IP4_DNS
(DNS Server) 		Yes. Yes.
INTERNAL_IP4_NBNS
(WINS Server) 		No. Yes.
INTERNAL_IP4_DHCP No. No.
APPLICATION_VERSION Yes. Yes.
INTERNAL_IP6_ADDRESS
(VPN interface's address and netmask) 		Yes. Yes.
INTERNAL_IP6_DNS
(DNS Server) 		Yes. Yes.
INTERNAL_IP6_SUBNET
(Split tunneling, internal routing entries) 		Yes. Yes.
INTERNAL_IP6_NBNS
(WINS Server) 		No. Yes.
INTERNAL_IP6_DHCP No. No.
RHP_IPV4_GATEWAY
(28468, a default gateway for bridge config) 		Yes. Yes.
RHP_IPV6_GATEWAY
(28469, a default gateway for bridge config) 		Yes. Yes.
RHP_DNS_SFX
(28467, a FQDN's suffix for split DNS) 		Yes. Yes.
RHP_IPV6_AUTOCONF
(28470, IPv6 address Auto-configuration over IPsec) 		Yes. Yes.



- A Rockhoper's ID or address:

Rockhopepr doesn't support IKEv2's ID_IPV4_ADDR and ID_IPV6_ADDR. Therefore, you need to specify a Rockhopper's ID or address as a hostname (ID_FQDN), an E-mail address (ID_RFC822_ADDR) or a subjectName (ID_DER_ASN1_DN).


- EAP (Extensible Authentication Protocol):

EAP-MSCHAPv2 is supported.

- IKEv2 Mobility and Multihoming Protocol (MOBIKE) (RFC4555):

Supported.

- A Quick Crash Detection Method for IKEv2 (QCD) (RFC6290):

Supported.

- IKEv2 Message Fragmentation (RFC7383):

Supported.

- IKEv2 Session Resumption (RFC5723):

Supported.

- The NULL Authentication Method in the IKEv2 (RFC7619):

Supported.


- IPv6:

Supported.


Back to Top