[strongSwan] How to define multiple proposals in IKEv1
tobias at strongswan.org
Mon Aug 29 17:57:11 CEST 2016
> Question 1) Can I define multiple proposals for 'ike' and adding '!' to
> restrict Strongswan to accept the defined proposals only? Since the
> initiator is not fixed, local Strongswan can be the responder or
> initiator depends on different scenario.
Yes, adding ! in ipsec.conf will restrict the proposals to the ones
configured. That is, the default proposal, which basically includes all
available algorithms, will _not_ be added. For swanctl.conf the default
proposal is not added automatically (unless `ike` or `esp` is not set at
all), that is, unless the keyword `default` is included explicitly in
the proposal list setting any proposals is like adding a ! in ipsec.conf.
For IKEv1 initiators the default proposal is very limited, though,
because only the first algorithm of each type is sent in the SA payload.
Which means that in the current release `aes128-sha256-modp3072` is
added, which is already the default if nothing is configured in `ike` in
ipsec.conf so in that case this proposal is apparently sent twice (since
swanctl.conf defaults to `default` it will only be sent once there).
However, as responder the default proposal is considered in its entirety
if ! is not added (or `default` is specified in swanctl.conf), so as
IKEv1 responder strongSwan might accept more algorithms than it proposes
> Question 2) Is it possible to define multiple proposals for 'esp', as
> well as if I add the '!' flag?
Should work exactly the same as with `ike`. If ! is not added (or
`default` is contained in swanctl.conf) a default proposal will be added
(out of which IKEv1 initiators will propose `aes128-sha256` in the
current release and contains a few more algorithms as responder).
Otherwise, the proposals are restricted to whatever is configured.
> Thank you very much for your time, hope someone can give me direction on
> how to solve this problem. 😀
What problem is that exactly?
More information about the Users