[strongSwan] charon support for DES_MAC?

[Andreas Steffen]

Hello François,

as you can see from our IKEv2 algorithm overview, strongSwan does
not support the DES_MAC integrity algorithm:

http://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites

Why would you want to use such a weak algorithm anyway?

Regards

Andreas

On 10/19/2011 06:02 PM, François Ouellet wrote:
> Hello,
> 
> I'm trying to setup a tunnel between a Digi WR44 and Strongswan 4.5.2
> (from Debian squeeze-backports).
> 
> Here are the relevant (I think) logs from charon:
> 
> charon: 15[CFG] received proposals:
> IKE:AES_CBC_128/DES_MAC/PRF_HMAC_SHA1/MODP_1536
> charon: 15[CFG] configured proposals:
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/AES_XCBC_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
> charon: 15[IKE] received proposals inacceptable
> 
> The DES_MAC part doesn't seem configurable on the WR44.
> 
> I tried to add
> 
>   ike=aes128-des-sha1-modp1536
> 
> in /etc/ipsec.conf but charon's proposal becomes
> 
>   AES_CBC_128/DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> 
> Is there any way to have charon accept WR44's proposal?
> 
> 
> Thank you

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==