<div dir="ltr">Thank you both Christian and Jafar for the clear proposals.<div><br></div><div>So yes, if I wanted to support Windows 10, iOS/OSX and Linux with the stronger set of encryption. Do I set <b style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">aes256-sha256-prfsha256-<wbr>modp2048 </b><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">into <b>ike</b> only? Or both in <b>ike</b> and <b>esp</b>?</span></div><br>This part wasn't quite clear to me.<br><br>Yeah, I have already set [NegotiateDH2048_AES256] in Windows 10. <br><br>Many Thanks,<br>Houman<div><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br></span></div><div><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br></span></div><div class="gmail_extra"><br><div class="gmail_quote">On 8 May 2018 at 08:40, Christian Salway <span dir="ltr"><<a href="mailto:christian.salway@naimuri.com" target="_blank">christian.salway@naimuri.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space"><div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">The problem with Windows (10 at least) is that it offers the weakest ciphers first, so you should remove sha1 and 3des.</div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br></div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">The minimum proposals you should have and which are compatible with Windows 10, OSX, IOS and Linux are the following.</div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br></div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><b>proposals = aes256-sha256-prfsha256-<wbr>modp2048-modp1024</b></div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br></div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Although I would recommend adding the Windows 10 registry key [<span style="font-family:monospace,monospace">NegotiateDH2048_AES256</span>] to use strong ciphers and then you can remove MODP1024</div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br></div><div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br></div><a href="http://www.naimuri.com" target="_blank">
</a></div><div><br><blockquote type="cite"><div>On 7 May 2018, at 15:50, Jafar Al-Gharaibeh <<a href="mailto:jafar@atcorp.com" target="_blank">jafar@atcorp.com</a>> wrote:</div><br class="gmail-m_-6903710819164957598Apple-interchange-newline"><div>
<div bgcolor="#FFFFFF">
Houman,<br>
<br>
The Windows client proposals do not match your configured
proposals. Your Windows client expect DG group 15 (MODP2048), where
as you have:<br>
<br>
<font face="monospace, monospace">aes256-3des-sha1-modp1024<br>
<br>
change that to:<br>
<br>
</font><font face="monospace, monospace"><font face="monospace,
monospace">aes256-3des-sha1-modp2048</font><br>
</font><br>
I'd also add sha256 at least before sha1 (deemed insecure). If you
still have other clients expecting modp1024, make it:<br>
<br>
<font face="monospace, monospace">aes256-3des-sha256-sha1-<wbr>modp2048-modp1024<br>
<br>
That should get you covered. <br>
<br>
Regards,<br>
Jafar<br>
<br>
</font><div><div class="gmail-h5"><br>
<div class="gmail-m_-6903710819164957598moz-cite-prefix">On 5/7/2018 8:17 AM, Houman wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello,
<div><br>
</div>
<div>Until a week ago a user with Windows 10 had no issue
connecting to the StrongSwan server. But now out of the blue,
he can't connect to the StrongSwan server anymore.</div>
<div><br>
</div>
<div>The log on the server is:</div>
<div><br>
</div>
<font face="monospace, monospace">May 7 12:31:06 vpn-p1 charon:
08[IKE] received proposals inacceptable<br>
May 7 12:31:06 vpn-p1 charon: 08[ENC] generating IKE_SA_INIT
response 0 [ N(NO_PROP) ]<br>
May 7 12:31:06 vpn-p1 charon: 08[NET] sending packet: from
xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)<br>
May 7 12:32:09 vpn-p1 systemd[1]: Started Session 35 of user
root.<br>
May 7 12:46:21 vpn-p1 systemd[1]: Starting Cleanup of
Temporary Directories...<br>
May 7 12:46:21 vpn-p1 systemd-tmpfiles[7016]:
[/usr/lib/tmpfiles.d/var.conf:<wbr>14] Duplicate line for path
"/var/log", ignoring.<br>
May 7 12:46:21 vpn-p1 systemd[1]: Started Cleanup of
Temporary Directories.<br>
May 7 13:00:13 vpn-p1 systemd[1]: Starting Certbot...<br>
May 7 13:00:13 vpn-p1 systemd[1]: Started Certbot.<br>
May 7 13:08:20 vpn-p1 systemd[1]: Started Session 36 of user
root.<br>
May 7 13:11:27 vpn-p1 charon: 12[NET] received packet: from
91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)<br>
May 7 13:11:27 vpn-p1 charon: 12[ENC] parsed IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]<br>
May 7 13:11:27 vpn-p1 charon: 12[IKE] received MS NT5
ISAKMPOAKLEY v9 vendor ID<br>
May 7 13:11:27 vpn-p1 charon: 12[IKE] received MS-Negotiation
Discovery Capable vendor ID<br>
May 7 13:11:27 vpn-p1 charon: 12[IKE] received
Vid-Initial-Contact vendor ID<br>
May 7 13:11:27 vpn-p1 charon: 12[ENC] received unknown vendor
ID:
01:52:8b:bb:c0:06:96:12:18:49:<wbr>ab:9a:1c:5b:2a:51:00:00:00:02<br>
May 7 13:11:27 vpn-p1 charon: 12[IKE] 91.98.xxx.xxx is
initiating an IKE_SA<br>
May 7 13:11:27 vpn-p1 charon: 12[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/<wbr>PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_<wbr>128/PRF_HMAC_SHA2_256/MODP_<wbr>2048,
IKE:AES_CBC_256/HMAC_SHA2_384_<wbr>192/PRF_HMAC_SHA2_384/MODP_<wbr>2048<br>
May 7 13:11:27 vpn-p1 charon: 12[CFG] configured proposals:
IKE:AES_GCM_16_256/HMAC_SHA2_<wbr>256_128/PRF_HMAC_SHA2_256/ECP_<wbr>521,
IKE:AES_CBC_256/HMAC_SHA2_256_<wbr>128/PRF_HMAC_SHA2_256/ECP_384,
IKE:AES_CBC_256/3DES_CBC/HMAC_<wbr>SHA1_96/PRF_HMAC_SHA1/MODP_<wbr>1024<br>
May 7 13:11:27 vpn-p1 charon: 12[IKE] remote host is behind
NAT<br>
May 7 13:11:27 vpn-p1 charon: 12[IKE] received proposals
inacceptable<br>
May 7 13:11:27 vpn-p1 charon: 12[ENC] generating IKE_SA_INIT
response 0 [ N(NO_PROP) ]<br>
May 7 13:11:27 vpn-p1 charon: 12[NET] sending packet: from
xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)<br>
May 7 13:11:28 vpn-p1 charon: 16[NET] received packet: from
91.98.xxx.xxx[500] to xxx.x.xx.92[500] (624 bytes)<br>
May 7 13:11:28 vpn-p1 charon: 16[ENC] parsed IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]<br>
May 7 13:11:28 vpn-p1 charon: 16[IKE] received MS NT5
ISAKMPOAKLEY v9 vendor ID<br>
May 7 13:11:28 vpn-p1 charon: 16[IKE] received MS-Negotiation
Discovery Capable vendor ID<br>
May 7 13:11:28 vpn-p1 charon: 16[IKE] received
Vid-Initial-Contact vendor ID<br>
May 7 13:11:28 vpn-p1 charon: 16[ENC] received unknown vendor
ID:
01:52:8b:bb:c0:06:96:12:18:49:<wbr>ab:9a:1c:5b:2a:51:00:00:00:02<br>
May 7 13:11:28 vpn-p1 charon: 16[IKE] 91.98.xxx.xxx is
initiating an IKE_SA<br>
May 7 13:11:28 vpn-p1 charon: 16[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/<wbr>PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_<wbr>128/PRF_HMAC_SHA2_256/MODP_<wbr>2048,
IKE:AES_CBC_256/HMAC_SHA2_384_<wbr>192/PRF_HMAC_SHA2_384/MODP_<wbr>2048<br>
May 7 13:11:28 vpn-p1 charon: 16[CFG] configured proposals:
IKE:AES_GCM_16_256/HMAC_SHA2_<wbr>256_128/PRF_HMAC_SHA2_256/ECP_<wbr>521,
IKE:AES_CBC_256/HMAC_SHA2_256_<wbr>128/PRF_HMAC_SHA2_256/ECP_384,
IKE:AES_CBC_256/3DES_CBC/HMAC_<wbr>SHA1_96/PRF_HMAC_SHA1/MODP_<wbr>1024<br>
May 7 13:11:28 vpn-p1 charon: 16[IKE] remote host is behind
NAT<br>
May 7 13:11:28 vpn-p1 charon: 16[IKE] received proposals
inacceptable<br>
May 7 13:11:28 vpn-p1 charon: 16[ENC] generating IKE_SA_INIT
response 0 [ N(NO_PROP) ]<br>
May 7 13:11:28 vpn-p1 charon: 16[NET] sending packet: from
xxx.x.xx.92[500] to 91.98.xxx.xxx[500] (36 bytes)</font>
<div><br>
</div>
<div>The Server's ipsec.conf is:</div>
<div><br>
</div>
<div>
<div><font face="monospace, monospace">config setup</font></div>
<div><font face="monospace, monospace"> strictcrlpolicy=yes</font></div>
<div><font face="monospace, monospace"> uniqueids=never</font></div>
<div><font face="monospace, monospace">conn roadwarrior</font></div>
<div><font face="monospace, monospace"> auto=add</font></div>
<div><font face="monospace, monospace"> compress=no</font></div>
<div><font face="monospace, monospace"> type=tunnel</font></div>
<div><font face="monospace, monospace"> keyexchange=ikev2</font></div>
<div><font face="monospace, monospace"> fragmentation=yes</font></div>
<div><font face="monospace, monospace"> forceencaps=yes</font></div>
<div><font face="monospace, monospace">
ike=aes256gcm16-sha256-ecp521,<wbr>aes256-sha256-ecp384,aes256-<wbr>3des-sha1-modp1024!</font></div>
<div><font face="monospace, monospace">
esp=aes256gcm16-sha256,aes256-<wbr>3des-sha256-sha1!</font></div>
<div><font face="monospace, monospace"> dpdaction=clear</font></div>
<div><font face="monospace, monospace"> dpddelay=180s</font></div>
<div><font face="monospace, monospace"> rekey=no</font></div>
<div><font face="monospace, monospace"> left=%any</font></div>
<div><font face="monospace, monospace"> leftid=@${VPNHOST}</font></div>
<div><font face="monospace, monospace"> leftcert=cert.pem</font></div>
<div><font face="monospace, monospace"> leftsendcert=always</font></div>
<div><font face="monospace, monospace"> leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></font></div>
<div><font face="monospace, monospace"> right=%any</font></div>
<div><font face="monospace, monospace"> rightid=%any</font></div>
<div><font face="monospace, monospace"> rightauth=eap-radius</font></div>
<div><font face="monospace, monospace"> eap_identity=%any</font></div>
<div><font face="monospace, monospace">
rightdns=208.67.222.222,208.<wbr>67.220.220</font></div>
<div><font face="monospace, monospace">
rightsourceip=${VPNIPPOOL}</font></div>
<div><font face="monospace, monospace"> rightsendcert=never</font></div>
</div>
<div><br>
</div>
<div>Have the supported ike/esp proposals somehow been changed
recently after a recent Windows 10 update?</div>
<div><br>
</div>
<div>I have made these changes on the Windows 10, after
googling for a solution:</div>
<div><br>
</div>
<div><font face="monospace, monospace">- The firewall on Windows
10 is currently disabled. </font></div>
<font face="monospace, monospace">- I have set
NegotiateDH2048_AES256 = 1 in Regedit<br>
- AssumeUDPEncapsulationContextO<wbr>nSendRule = 2 in Regedit</font>
<div><br>
</div>
<div>I can't think of anything else I could do on the Windows 10
client.<br>
<div><br>
</div>
<div>According to my notes, these are the proposed protocols
for Windows 10:</div>
<div><br>
</div>
<div>
<div><font face="monospace, monospace"># these ike and esp
settings are tested on Mac 10.12, iOS 10 and Windows 10</font></div>
<div><font face="monospace, monospace"># iOS/Mac with
appropriate configuration profiles use
AES_GCM_16_256/PRF_HMAC_SHA2_<wbr>256/ECP_521</font></div>
<div><font face="monospace, monospace"># Windows 10 uses
AES_CBC_256/HMAC_SHA2_256_128/<wbr>PRF_HMAC_SHA2_256/ECP_384</font></div>
</div>
<div><br>
</div>
<div>Is there a website that translates
AES_CBC_256/HMAC_SHA2_256_128/<wbr>PRF_HMAC_SHA2_256/ECP_384 into
the right naming for ipsec.conf so that I enter them under
ike and esp respectively? I can't quite make out if I have
these settings there or not.</div>
<div><br>
</div>
<div>If you have any other advice, please help me.</div>
<div><br>
</div>
<div>Many Thanks,</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</blockquote>
<br>
</div></div></div>
</div></blockquote></div><br></div></blockquote></div><br></div></div>