<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Houman,<br>
<br>
No need to configure a prf, it is already assumed when you
configured a DH group; so you can drop prfsha256. And as Christian
suggested, if all your clients support strong encryption drop all
weak algorithms/proposals from the server end i.e 3des, sha1,
modp1024. I can't believe that Microsoft still in 2018 offer these
as the default options and expects users to go tinker with obscured
registery keys to enable stronger options. <br>
<br>
For ESP, I'd connect the Windows client and see what the offered
proposals in the logs at the server side, just as you did with ike.
You can then limit the proposals at the server end to the good ones.
If I remember well, AES256 was an option, but esp didn't allow a DH
group so you might need to drop that, but I could be wrong.<br>
<br>
Cheers,<br>
Jafar <br>
<br>
<br>
<div class="moz-cite-prefix">On 5/8/2018 1:55 PM, Houman wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CABBZOsk-9SOLJmU5k5Op2praTDJ=EP5NCOsjPMuTE+ZoFGsSow@mail.gmail.com">
<div dir="ltr">Thank you both Christian and Jafar for the clear
proposals.
<div><br>
</div>
<div>So yes, if I wanted to support Windows 10, iOS/OSX and
Linux with the stronger set of encryption. Do I set <b
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">aes256-sha256-prfsha256-<wbr>modp2048
</b><span
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">into
<b>ike</b> only? Or both in <b>ike</b> and <b>esp</b>?</span></div>
<br>
This part wasn't quite clear to me.<br>
<br>
Yeah, I have already set [NegotiateDH2048_AES256] in Windows 10.
<br>
<br>
Many Thanks,<br>
Houman
<div><span
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br>
</span></div>
<div><span
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br>
</span></div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 8 May 2018 at 08:40, Christian
Salway <span dir="ltr"><<a
href="mailto:christian.salway@naimuri.com"
target="_blank" moz-do-not-send="true">christian.salway@naimuri.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<div
style="word-wrap:break-word;line-break:after-white-space">
<div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">The
problem with Windows (10 at least) is that it offers
the weakest ciphers first, so you should remove sha1
and 3des.</div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br>
</div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">The
minimum proposals you should have and which are
compatible with Windows 10, OSX, IOS and Linux are
the following.</div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br>
</div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><b>proposals
= aes256-sha256-prfsha256-<wbr>modp2048-modp1024</b></div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br>
</div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Although
I would recommend adding the Windows 10 registry key
[<span style="font-family:monospace,monospace">NegotiateDH2048_AES256</span>]
to use strong ciphers and then you can remove
MODP1024</div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br>
</div>
<div
style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br>
</div>
<a href="http://www.naimuri.com" target="_blank"
moz-do-not-send="true">
</a></div>
<div><br>
<blockquote type="cite">
<div>On 7 May 2018, at 15:50, Jafar Al-Gharaibeh
<<a href="mailto:jafar@atcorp.com"
target="_blank" moz-do-not-send="true">jafar@atcorp.com</a>>
wrote:</div>
<br
class="gmail-m_-6903710819164957598Apple-interchange-newline">
<div>
<div bgcolor="#FFFFFF"> Houman,<br>
<br>
The Windows client proposals do not match your
configured proposals. Your Windows client expect
DG group 15 (MODP2048), where as you have:<br>
<br>
<font face="monospace, monospace">aes256-3des-sha1-modp1024<br>
<br>
change that to:<br>
<br>
</font><font face="monospace, monospace"><font
face="monospace, monospace">aes256-3des-sha1-modp2048</font><br>
</font><br>
I'd also add sha256 at least before sha1 (deemed
insecure). If you still have other clients
expecting modp1024, make it:<br>
<br>
<font face="monospace, monospace">aes256-3des-sha256-sha1-<wbr>modp2048-modp1024<br>
<br>
That should get you covered. <br>
<br>
Regards,<br>
Jafar<br>
<br>
</font>
<div>
<div class="gmail-h5"><br>
<div
class="gmail-m_-6903710819164957598moz-cite-prefix">On
5/7/2018 8:17 AM, Houman wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello,
<div><br>
</div>
<div>Until a week ago a user with
Windows 10 had no issue connecting to
the StrongSwan server. But now out of
the blue, he can't connect to the
StrongSwan server anymore.</div>
<div><br>
</div>
<div>The log on the server is:</div>
<div><br>
</div>
<font face="monospace, monospace">May 7
12:31:06 vpn-p1 charon: 08[IKE]
received proposals inacceptable<br>
May 7 12:31:06 vpn-p1 charon: 08[ENC]
generating IKE_SA_INIT response 0 [
N(NO_PROP) ]<br>
May 7 12:31:06 vpn-p1 charon: 08[NET]
sending packet: from xxx.x.xx.92[500]
to 91.98.xxx.xxx[500] (36 bytes)<br>
May 7 12:32:09 vpn-p1 systemd[1]:
Started Session 35 of user root.<br>
May 7 12:46:21 vpn-p1 systemd[1]:
Starting Cleanup of Temporary
Directories...<br>
May 7 12:46:21 vpn-p1
systemd-tmpfiles[7016]:
[/usr/lib/tmpfiles.d/var.conf:<wbr>14]
Duplicate line for path "/var/log",
ignoring.<br>
May 7 12:46:21 vpn-p1 systemd[1]:
Started Cleanup of Temporary
Directories.<br>
May 7 13:00:13 vpn-p1 systemd[1]:
Starting Certbot...<br>
May 7 13:00:13 vpn-p1 systemd[1]:
Started Certbot.<br>
May 7 13:08:20 vpn-p1 systemd[1]:
Started Session 36 of user root.<br>
May 7 13:11:27 vpn-p1 charon: 12[NET]
received packet: from
91.98.xxx.xxx[500] to xxx.x.xx.92[500]
(624 bytes)<br>
May 7 13:11:27 vpn-p1 charon: 12[ENC]
parsed IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) V V V V ]<br>
May 7 13:11:27 vpn-p1 charon: 12[IKE]
received MS NT5 ISAKMPOAKLEY v9 vendor
ID<br>
May 7 13:11:27 vpn-p1 charon: 12[IKE]
received MS-Negotiation Discovery
Capable vendor ID<br>
May 7 13:11:27 vpn-p1 charon: 12[IKE]
received Vid-Initial-Contact vendor ID<br>
May 7 13:11:27 vpn-p1 charon: 12[ENC]
received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:<wbr>ab:9a:1c:5b:2a:51:00:00:00:02<br>
May 7 13:11:27 vpn-p1 charon: 12[IKE]
91.98.xxx.xxx is initiating an IKE_SA<br>
May 7 13:11:27 vpn-p1 charon: 12[CFG]
received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/<wbr>PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_<wbr>128/PRF_HMAC_SHA2_256/MODP_<wbr>2048,
IKE:AES_CBC_256/HMAC_SHA2_384_<wbr>192/PRF_HMAC_SHA2_384/MODP_<wbr>2048<br>
May 7 13:11:27 vpn-p1 charon: 12[CFG]
configured proposals:
IKE:AES_GCM_16_256/HMAC_SHA2_<wbr>256_128/PRF_HMAC_SHA2_256/ECP_<wbr>521,
IKE:AES_CBC_256/HMAC_SHA2_256_<wbr>128/PRF_HMAC_SHA2_256/ECP_384,
IKE:AES_CBC_256/3DES_CBC/HMAC_<wbr>SHA1_96/PRF_HMAC_SHA1/MODP_<wbr>1024<br>
May 7 13:11:27 vpn-p1 charon: 12[IKE]
remote host is behind NAT<br>
May 7 13:11:27 vpn-p1 charon: 12[IKE]
received proposals inacceptable<br>
May 7 13:11:27 vpn-p1 charon: 12[ENC]
generating IKE_SA_INIT response 0 [
N(NO_PROP) ]<br>
May 7 13:11:27 vpn-p1 charon: 12[NET]
sending packet: from xxx.x.xx.92[500]
to 91.98.xxx.xxx[500] (36 bytes)<br>
May 7 13:11:28 vpn-p1 charon: 16[NET]
received packet: from
91.98.xxx.xxx[500] to xxx.x.xx.92[500]
(624 bytes)<br>
May 7 13:11:28 vpn-p1 charon: 16[ENC]
parsed IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) V V V V ]<br>
May 7 13:11:28 vpn-p1 charon: 16[IKE]
received MS NT5 ISAKMPOAKLEY v9 vendor
ID<br>
May 7 13:11:28 vpn-p1 charon: 16[IKE]
received MS-Negotiation Discovery
Capable vendor ID<br>
May 7 13:11:28 vpn-p1 charon: 16[IKE]
received Vid-Initial-Contact vendor ID<br>
May 7 13:11:28 vpn-p1 charon: 16[ENC]
received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:<wbr>ab:9a:1c:5b:2a:51:00:00:00:02<br>
May 7 13:11:28 vpn-p1 charon: 16[IKE]
91.98.xxx.xxx is initiating an IKE_SA<br>
May 7 13:11:28 vpn-p1 charon: 16[CFG]
received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/<wbr>PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_<wbr>128/PRF_HMAC_SHA2_256/MODP_<wbr>2048,
IKE:AES_CBC_256/HMAC_SHA2_384_<wbr>192/PRF_HMAC_SHA2_384/MODP_<wbr>2048<br>
May 7 13:11:28 vpn-p1 charon: 16[CFG]
configured proposals:
IKE:AES_GCM_16_256/HMAC_SHA2_<wbr>256_128/PRF_HMAC_SHA2_256/ECP_<wbr>521,
IKE:AES_CBC_256/HMAC_SHA2_256_<wbr>128/PRF_HMAC_SHA2_256/ECP_384,
IKE:AES_CBC_256/3DES_CBC/HMAC_<wbr>SHA1_96/PRF_HMAC_SHA1/MODP_<wbr>1024<br>
May 7 13:11:28 vpn-p1 charon: 16[IKE]
remote host is behind NAT<br>
May 7 13:11:28 vpn-p1 charon: 16[IKE]
received proposals inacceptable<br>
May 7 13:11:28 vpn-p1 charon: 16[ENC]
generating IKE_SA_INIT response 0 [
N(NO_PROP) ]<br>
May 7 13:11:28 vpn-p1 charon: 16[NET]
sending packet: from xxx.x.xx.92[500]
to 91.98.xxx.xxx[500] (36 bytes)</font>
<div><br>
</div>
<div>The Server's ipsec.conf is:</div>
<div><br>
</div>
<div>
<div><font face="monospace, monospace">config
setup</font></div>
<div><font face="monospace, monospace">
strictcrlpolicy=yes</font></div>
<div><font face="monospace, monospace">
uniqueids=never</font></div>
<div><font face="monospace, monospace">conn
roadwarrior</font></div>
<div><font face="monospace, monospace">
auto=add</font></div>
<div><font face="monospace, monospace">
compress=no</font></div>
<div><font face="monospace, monospace">
type=tunnel</font></div>
<div><font face="monospace, monospace">
keyexchange=ikev2</font></div>
<div><font face="monospace, monospace">
fragmentation=yes</font></div>
<div><font face="monospace, monospace">
forceencaps=yes</font></div>
<div><font face="monospace, monospace">
ike=aes256gcm16-sha256-ecp521,<wbr>aes256-sha256-ecp384,aes256-<wbr>3des-sha1-modp1024!</font></div>
<div><font face="monospace, monospace">
esp=aes256gcm16-sha256,aes256-<wbr>3des-sha256-sha1!</font></div>
<div><font face="monospace, monospace">
dpdaction=clear</font></div>
<div><font face="monospace, monospace">
dpddelay=180s</font></div>
<div><font face="monospace, monospace">
rekey=no</font></div>
<div><font face="monospace, monospace">
left=%any</font></div>
<div><font face="monospace, monospace">
leftid=@${VPNHOST}</font></div>
<div><font face="monospace, monospace">
leftcert=cert.pem</font></div>
<div><font face="monospace, monospace">
leftsendcert=always</font></div>
<div><font face="monospace, monospace">
leftsubnet=<a
href="http://0.0.0.0/0"
target="_blank"
moz-do-not-send="true">0.0.0.0/0</a></font></div>
<div><font face="monospace, monospace">
right=%any</font></div>
<div><font face="monospace, monospace">
rightid=%any</font></div>
<div><font face="monospace, monospace">
rightauth=eap-radius</font></div>
<div><font face="monospace, monospace">
eap_identity=%any</font></div>
<div><font face="monospace, monospace">
rightdns=208.67.222.222,208.<wbr>67.220.220</font></div>
<div><font face="monospace, monospace">
rightsourceip=${VPNIPPOOL}</font></div>
<div><font face="monospace, monospace">
rightsendcert=never</font></div>
</div>
<div><br>
</div>
<div>Have the supported ike/esp
proposals somehow been changed
recently after a recent Windows 10
update?</div>
<div><br>
</div>
<div>I have made these changes on the
Windows 10, after googling for a
solution:</div>
<div><br>
</div>
<div><font face="monospace, monospace">-
The firewall on Windows 10 is
currently disabled. </font></div>
<font face="monospace, monospace">- I
have set NegotiateDH2048_AES256 = 1 in
Regedit<br>
- AssumeUDPEncapsulationContextO<wbr>nSendRule
= 2 in Regedit</font>
<div><br>
</div>
<div>I can't think of anything else I
could do on the Windows 10 client.<br>
<div><br>
</div>
<div>According to my notes, these are
the proposed protocols for Windows
10:</div>
<div><br>
</div>
<div>
<div><font face="monospace,
monospace"># these ike and esp
settings are tested on Mac
10.12, iOS 10 and Windows 10</font></div>
<div><font face="monospace,
monospace"># iOS/Mac with
appropriate configuration
profiles use
AES_GCM_16_256/PRF_HMAC_SHA2_<wbr>256/ECP_521</font></div>
<div><font face="monospace,
monospace"># Windows 10 uses
AES_CBC_256/HMAC_SHA2_256_128/<wbr>PRF_HMAC_SHA2_256/ECP_384</font></div>
</div>
<div><br>
</div>
<div>Is there a website that
translates
AES_CBC_256/HMAC_SHA2_256_128/<wbr>PRF_HMAC_SHA2_256/ECP_384
into the right naming for ipsec.conf
so that I enter them under ike and
esp respectively? I can't quite make
out if I have these settings there
or not.</div>
<div><br>
</div>
<div>If you have any other advice,
please help me.</div>
<div><br>
</div>
<div>Many Thanks,</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>