[strongSwan] Strict flag with different algorithms in multiple connection configurations
Hans-Kristian Bakke
hkbakke at gmail.com
Mon May 2 12:18:04 CEST 2011
Thank you for your detailed answer.
FYI:
The aes256-aesxcbc-ecp521 algorithms are only used against two other Debian
Squeeze/Strongswan configurations and is supported and working according to
ipsec statusall.
Regards,
*Hans-Kristian Bakke*
On Mon, May 2, 2011 at 12:07, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:
> Hello Hans-Kristian,
>
> the problem is that strongSwan as a responder must select a
> matching proposal upon the reception of the IKE_INIT_SA request
> so that the following IKE_AUTH messages can be encrypted.
> Since all connection definitions contain right=%any and
> rightid will be transmitted within the IKE_AUTH payload,
> strongSwan selects the first matching proposal.
>
> Thus the only solution is to define a joint list of accepted
> crypto algorithms e.g. in the %default connection section
>
> ike=aes256-aesxcbc-ecp521,aes256-sha1-modp1024!
> esp=aes256gcm16-ecp521,aes256-sha1!
>
> Kind regards
>
> Andreas
>
> BTW: To my knowledge the Windows 7 Agile VPN client does not
> support Suite B Elliptic Curve Cryptography. Only Microsoft's
> old IKEv1-based IPsec stack does.
>
> On 02.05.2011 11:46, Hans-Kristian Bakke wrote:
> > Hi
> >
> > I have a problem using multiple strict flags in my ipsec.conf
> > configuration on Debian Squeeze (strongswan package v4.4.1-5.1):
> >
> >
> > ----
> > # ipsec.conf - strongSwan IPsec configuration file
> >
> > # basic configuration
> > config setup
> > charonstart=yes
> > plutostart=no
> >
> > # Add connections here.
> > conn %default
> > keyexchange=ikev2
> > auth=esp
> > leftauth=pubkey
> > left=%defaultroute
> > leftcert=vpn-serverCert.pem
> > leftfirewall=no
> > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> > reauth=no
> >
> > conn rw-uranus
> > right=%any
> > rightsourceip=10.0.1.2
> > rightid="C=NO, ST=Oppland, O=nixuser.net <http://nixuser.net>,
> > OU=Backup server, CN=uranus.nixuser.net <http://uranus.nixuser.net>"
> > auto=add
> > ike=aes256-aesxcbc-ecp521!
> > esp=aes256gcm16-ecp521!
> > dpdaction=clear
> >
> > conn windows-7
> > right=%any
> > rightsourceip=10.0.1.3
> > rightid="C=NO, ST=Oppland, O=nixuser.net <http://nixuser.net>,
> > OU=Windows 7 klient, CN=klient.nixuser.net <http://klient.nixuser.net>"
> > auto=add
> > ike=aes256-sha1-modp1024!
> > esp=aes256-sha1!
> > dpdaction=clear
> > rekey=no
> >
> > conn rw-europa
> > right=%any
> > rightsourceip=10.0.1.4
> > rightid="C=NO, ST=Oppland, O=nixuser.net <http://nixuser.net>,
> > OU=Filserver, CN=europa.nixuser.net <http://europa.nixuser.net>"
> > auto=add
> > ike=aes256-aesxcbc-ecp521!
> > esp=aes256gcm16-ecp521!
> > dpdaction=clear
> >
> > include /var/lib/strongswan/ipsec.conf.inc
> > ----
> >
> >
> > When I try to connect with the windows-7 client I get the following in
> > syslog:
> > configured proposals: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/ECP_521
> > which indicates to me that the first strict flag is probably globally
> > overriding everything also in the connections other algorithms are
> defined.
> > The Windows 7 client can't connect as a result of this.
> > If I remove the strict flags everything works as intented.
> >
> > Is it only possible to have one global (even if defined inside a
> > connection) single ike/esp definition using strict flag in ipsec.conf?
> >
> > ---
> > Regards,
> > *Hans-Kristian Bakke*
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110502/b3a6ac70/attachment.html>
More information about the Users
mailing list