[strongSwan] weird configured proposals

Martin Willi martin at strongswan.org
Thu Jun 20 14:27:11 CEST 2013

Hi Gerald,

>    ike="3des-sha1-modp1536"
> configured proposals: 
>   IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/[...]
> Any idea what might be wrong here?

If you configure a proposal in ipsec.conf non-strict (without a "!"),
charon appends its "default proposal". This additional proposal is used
as fallback, and includes all algorithms that are supported and are
considered safe.

You can omit this "default proposal" by appending an exclamation mark to
your proposal.

This fallback proposal works very well for IKEv2. However, with IKEv1,
it is not possible to include multiple algorithms of the same kind
(encryption/hash) in a single proposal. As we can't include a proposal
for each combination, we currently just pick the first algorithm of each
kind to form that fallback proposal. Depending on your configured
plugins, this might or might not result in a usable combination.

It's on my TODO list to change that "default proposal" when using IKEv1
to something more predictable. Just not sure yet what the best approach
would be.


More information about the Users mailing list