[strongSwan] Strict flag with different algorithms in multiple connection configurations
Andreas Steffen
andreas.steffen at strongswan.org
Mon May 2 12:07:27 CEST 2011
Hello Hans-Kristian,
the problem is that strongSwan as a responder must select a
matching proposal upon the reception of the IKE_INIT_SA request
so that the following IKE_AUTH messages can be encrypted.
Since all connection definitions contain right=%any and
rightid will be transmitted within the IKE_AUTH payload,
strongSwan selects the first matching proposal.
Thus the only solution is to define a joint list of accepted
crypto algorithms e.g. in the %default connection section
ike=aes256-aesxcbc-ecp521,aes256-sha1-modp1024!
esp=aes256gcm16-ecp521,aes256-sha1!
Kind regards
Andreas
BTW: To my knowledge the Windows 7 Agile VPN client does not
support Suite B Elliptic Curve Cryptography. Only Microsoft's
old IKEv1-based IPsec stack does.
On 02.05.2011 11:46, Hans-Kristian Bakke wrote:
> Hi
>
> I have a problem using multiple strict flags in my ipsec.conf
> configuration on Debian Squeeze (strongswan package v4.4.1-5.1):
>
>
> ----
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
> config setup
> charonstart=yes
> plutostart=no
>
> # Add connections here.
> conn %default
> keyexchange=ikev2
> auth=esp
> leftauth=pubkey
> left=%defaultroute
> leftcert=vpn-serverCert.pem
> leftfirewall=no
> leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> reauth=no
>
> conn rw-uranus
> right=%any
> rightsourceip=10.0.1.2
> rightid="C=NO, ST=Oppland, O=nixuser.net <http://nixuser.net>,
> OU=Backup server, CN=uranus.nixuser.net <http://uranus.nixuser.net>"
> auto=add
> ike=aes256-aesxcbc-ecp521!
> esp=aes256gcm16-ecp521!
> dpdaction=clear
>
> conn windows-7
> right=%any
> rightsourceip=10.0.1.3
> rightid="C=NO, ST=Oppland, O=nixuser.net <http://nixuser.net>,
> OU=Windows 7 klient, CN=klient.nixuser.net <http://klient.nixuser.net>"
> auto=add
> ike=aes256-sha1-modp1024!
> esp=aes256-sha1!
> dpdaction=clear
> rekey=no
>
> conn rw-europa
> right=%any
> rightsourceip=10.0.1.4
> rightid="C=NO, ST=Oppland, O=nixuser.net <http://nixuser.net>,
> OU=Filserver, CN=europa.nixuser.net <http://europa.nixuser.net>"
> auto=add
> ike=aes256-aesxcbc-ecp521!
> esp=aes256gcm16-ecp521!
> dpdaction=clear
>
> include /var/lib/strongswan/ipsec.conf.inc
> ----
>
>
> When I try to connect with the windows-7 client I get the following in
> syslog:
> configured proposals: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/ECP_521
> which indicates to me that the first strict flag is probably globally
> overriding everything also in the connections other algorithms are defined.
> The Windows 7 client can't connect as a result of this.
> If I remove the strict flags everything works as intented.
>
> Is it only possible to have one global (even if defined inside a
> connection) single ike/esp definition using strict flag in ipsec.conf?
>
> ---
> Regards,
> *Hans-Kristian Bakke*
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list