[strongSwan] weird configured proposals
Gerald Richter - ECOS
richter at ecos.de
Thu Jun 20 14:35:28 CEST 2013
Hi Martin,
thanks for your quick reply. With the ! it sends only the configured proposal, as I intended.
Regards
Gerald
> -----Ursprüngliche Nachricht-----
> Von: Martin Willi [mailto:martin at strongswan.org]
> Gesendet: Donnerstag, 20. Juni 2013 14:27
> An: Gerald Richter
> Cc: users at lists.strongswan.org
> Betreff: Re: [strongSwan] weird configured proposals
>
> Hi Gerald,
>
> > ike="3des-sha1-modp1536"
> >
> > configured proposals:
> > IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
> >
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/[...
> ]
>
> > Any idea what might be wrong here?
>
> If you configure a proposal in ipsec.conf non-strict (without a "!"), charon
> appends its "default proposal". This additional proposal is used as fallback,
> and includes all algorithms that are supported and are considered safe.
>
> You can omit this "default proposal" by appending an exclamation mark to
> your proposal.
>
> This fallback proposal works very well for IKEv2. However, with IKEv1, it is not
> possible to include multiple algorithms of the same kind
> (encryption/hash) in a single proposal. As we can't include a proposal for
> each combination, we currently just pick the first algorithm of each kind to
> form that fallback proposal. Depending on your configured plugins, this might
> or might not result in a usable combination.
>
> It's on my TODO list to change that "default proposal" when using IKEv1 to
> something more predictable. Just not sure yet what the best approach would
> be.
>
> Regards
> Martin
More information about the Users
mailing list