[strongSwan] weird configured proposals

Gerald Richter - ECOS richter at ecos.de
Thu Jun 20 14:35:28 CEST 2013

Hi Martin,

thanks for your quick reply. With the ! it sends only the configured proposal, as I intended.



> -----Ursprüngliche Nachricht-----
> Von: Martin Willi [mailto:martin at strongswan.org]
> Gesendet: Donnerstag, 20. Juni 2013 14:27
> An: Gerald Richter
> Cc: users at lists.strongswan.org
> Betreff: Re: [strongSwan] weird configured proposals
> Hi Gerald,
> >    ike="3des-sha1-modp1536"
> >
> > configured proposals:
> >
> ]
> > Any idea what might be wrong here?
> If you configure a proposal in ipsec.conf non-strict (without a "!"), charon
> appends its "default proposal". This additional proposal is used as fallback,
> and includes all algorithms that are supported and are considered safe.
> You can omit this "default proposal" by appending an exclamation mark to
> your proposal.
> This fallback proposal works very well for IKEv2. However, with IKEv1, it is not
> possible to include multiple algorithms of the same kind
> (encryption/hash) in a single proposal. As we can't include a proposal for
> each combination, we currently just pick the first algorithm of each kind to
> form that fallback proposal. Depending on your configured plugins, this might
> or might not result in a usable combination.
> It's on my TODO list to change that "default proposal" when using IKEv1 to
> something more predictable. Just not sure yet what the best approach would
> be.
> Regards
> Martin

More information about the Users mailing list