[strongSwan] Strict flag with different algorithms in multiple connection configurations

Hans-Kristian Bakke hkbakke at gmail.com
Mon May 2 11:46:47 CEST 2011 

Hi

I have a problem using multiple strict flags in my ipsec.conf configuration
on Debian Squeeze  (strongswan package v4.4.1-5.1):


----
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration
config setup
        charonstart=yes
        plutostart=no

# Add connections here.
conn %default
        keyexchange=ikev2
        auth=esp
        leftauth=pubkey
        left=%defaultroute
        leftcert=vpn-serverCert.pem
        leftfirewall=no
        leftsubnet=0.0.0.0/0
        reauth=no

conn rw-uranus
        right=%any
        rightsourceip=10.0.1.2
        rightid="C=NO, ST=Oppland, O=nixuser.net, OU=Backup server, CN=
uranus.nixuser.net"
        auto=add
        ike=aes256-aesxcbc-ecp521!
        esp=aes256gcm16-ecp521!
        dpdaction=clear

conn windows-7
        right=%any
        rightsourceip=10.0.1.3
        rightid="C=NO, ST=Oppland, O=nixuser.net, OU=Windows 7 klient, CN=
klient.nixuser.net"
        auto=add
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        dpdaction=clear
        rekey=no

conn rw-europa
        right=%any
        rightsourceip=10.0.1.4
        rightid="C=NO, ST=Oppland, O=nixuser.net, OU=Filserver, CN=
europa.nixuser.net"
        auto=add
        ike=aes256-aesxcbc-ecp521!
        esp=aes256gcm16-ecp521!
        dpdaction=clear

include /var/lib/strongswan/ipsec.conf.inc
----


When I try to connect with the windows-7 client I get the following in
syslog:
configured proposals: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/ECP_521
which indicates to me that the first strict flag is probably globally
overriding everything also in the connections other algorithms are defined.
The Windows 7 client can't connect as a result of this.
If I remove the strict flags everything works as intented.

Is it only possible to have one global (even if defined inside a connection)
single ike/esp definition using strict flag in ipsec.conf?

---
Regards,
*Hans-Kristian Bakke*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110502/54a7e237/attachment.html>

More information about the Users mailing list