Normally Openswan proposes all the ciphers and algorithms it supports, using a hardcoded preference. You can force which ciphers and algorithms to propose, and in which order to propose them, per connection. This can be useful for various reasons. The remote could have a buggy cipher implementation that would be otherwise selected. The remote could be a low-CPU appliance, and you wish to reduce the crypto strength. Some remotes do not respond at all after the first proposal, and you need to send the exact proposal for the remote as the first suggestion. Depending on the ciphers and algorithms that your version of Openswan and kernel support, you can define them using ike=
and esp=
lines. Ciphers and algorithms can either come from the KLIPS code or from the Linux CryptoAPI code. If a cipher or algorithm is available from KLIPS, it will be used instead of the CryptoAPI version.
You can use the following command to see what ciphers and algorithms are supported and loaded...