IKER features
- IKE algorithms:
- AES-{128,256}-GCM-16 + AES-XCBC + curve25519
- {Kuznechik,Magma}-MGM-{96,64} + HMAC-Streebog-512 +
34.10-2012-VKO-{256,512}
- ESP algorithms:
- AES-{128,256}-GCM-16
- {Kuznechik,Magma}-MGM
- Optional ESN
- Authentication modes: PSK, X.509 signature authentication
- Signature algorithms: ECDSA, GOST R 34.10-2012
- Signature hashes: SHA1, SHA256, SHA384, SHA512, Streebog256, Streebog512
- Both per-peer initiator (with autostart) and responder roles
- Ability to use signature authentication for one side and PSK for
another one
- Dead peer detection
- Duplicate response detection
- strongSwan-like
traffic selectors specification
(
fc00::123/128[tcp/80],fc00::123/128[udp],fc00::200/120
)
- Exact traffic selectors equivalence check
- Honest proposals negotiation (remote peer can offer more than
single ENCR/DH/PRF transformation)
- Supported identities: FQDN (for PSK), DN (for signature authentication)
- Honest delete notifications processing and sending of them when
quitting of dead peer clearing up
- Transport and tunnel modes negotiation
- ESN negotiation
- TFC negotiation