[strongSwan] charon support for DES_MAC?

François Ouellet fouell at gmail.com
Wed Oct 19 18:02:50 CEST 2011


Hello,

I'm trying to setup a tunnel between a Digi WR44 and Strongswan 4.5.2
(from Debian squeeze-backports).

Here are the relevant (I think) logs from charon:

charon: 15[CFG] received proposals:
IKE:AES_CBC_128/DES_MAC/PRF_HMAC_SHA1/MODP_1536
charon: 15[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/AES_XCBC_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
charon: 15[IKE] received proposals inacceptable

The DES_MAC part doesn't seem configurable on the WR44.

I tried to add

  ike=aes128-des-sha1-modp1536

in /etc/ipsec.conf but charon's proposal becomes

  AES_CBC_128/DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

Is there any way to have charon accept WR44's proposal?


Thank you




More information about the Users mailing list