A related concept is mode of operation,which turns a block cipher to a stream cipher. CBC is a commonly used one. When it's used with AES, it's expressed as AES-CBC
Message authentication Used for data integrity. These algorithms are also called MAC(Message authentication code).
Authenticated Encryption (AE) Combines confidentiality and integrity. Wikipedia: Authenticated Encryption.
EtM (Encrypt-then-MAC): A secure way to combine encryption algorithms with MAC algorithms.
GCM (Galois/Counter Mode): A mode of operation, when paired with a block cipher, offers AE (actually AEAD) in one step.
Some commonly used AE methods:
AES-CBC with an HMAC e.g.AES128-CBC-HMAC-SHA256.
ChaCha20 with Poly1305.
AES-GCM
Authenticated Encryption with Associated Data (AEAD) Similar to AE, but allows extra unencrypted data (associated data) to be authenticated. Roughly speaking:
A common use case for AEAD is when encrypting a network packet, you want the packet header to stay unencrypted (for network routing purposes) but still authenticated.
Note about DH and curves of EC-based algorithms DH-based algorithms may have a "Group" option, which specifies a prime field or an elliptic curve. If a prime field is used, such as modp2048, it's normal DH. If an elliptic curve group is used, such as ecp256, it's EC-based DH. Some other curves may be used:
strongSwan 在尝试匹配 ID 和证书的时候会检查 Subject DN 和 SubjectAltName (SAN)。我们之前一直在使用 Subject DN,而 SAN 则允许我们使用域名甚至 IP 作为 ID。另外,虽然我一直称呼“域名”或是“IP”,但是实际上只要 SAN 和 ID 匹配即可,这个“域名”到底是不是我们的并没有关系。(当然只有自签才能签出这种证书)