[strongSwan] How to define multiple proposals in IKEv1

Steve Leung kesteve at kesteve.com
Mon Aug 29 13:28:02 CEST 2016


Hello everyone,


I'm currently switching from Openswan to Strongswan, and one thing I'm
having problem is defining multiple proposals in IKEv1 Main Mode.

According to wiki.strongswan.org, both ipsec.conf and swanctl.conf is able
to define multiple proposals, by using comma as the separator:

For ipsec.conf :-
e.g. *ike=aes256-sha1-modp1024,3des-sha1-modp1024,aes128-sha2_256-modp1024*
*e.g. esp**=aes256-sha1-modp1024,aes128-sha2_256-modp1024*

Phase 1 (ike) does work as expected, it will try all the defined proposals
as long as I don't set the '!' exclamation mark at the end.

Question 1) Can I define multiple proposals for 'ike' and adding '!' to
restrict Strongswan to accept the defined proposals only? Since the
initiator is not fixed, local Strongswan can be the responder or initiator
depends on different scenario.


Unfortunately for Phase 2 (esp), it only choose the first proposal
(aes256-sha1-modp1024 in this case), and after receiving the NO_PROPOSAL_CHOSEN
error, it simply stop and do nothing.

Question 2) Is it possible to define multiple proposals for 'esp', as well
as if I add the '!' flag?


I have tried both ipsec.conf and swanctl.conf as the configuration method
but all failed. I hope I'm not misunderstanding the document, but
swanctl.conf wiki has a statement *"**Use multiple proposals to offer
different algorithms combinations in IKEv1."* so I think this is quite
clear multiple proposals should be supported for IKEv1 in both phase 1 and
2.

Thank you very much for your time, hope someone can give me direction on
how to solve this problem. 😀


Best regards,
Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160829/076afd73/attachment.html>


More information about the Users mailing list