[strongSwan] How to define multiple proposals in IKEv1
kesteve at kesteve.com
Tue Aug 30 09:44:11 CEST 2016
Thank you very much for helping, let me further clarify a bit.
Strongswan version is 5.5.0.
About Q1, for example, remote peer only accept *3des-sha1-modp1024*, and
local Strongswan using the following "ike" config.
Config (a) works well and phase 1 passed using 3des-sha1-modp1024 without
Config (b) failed and Strongswan only propose aes256-sha1-modp1024 to
remote peer, and the 3des proposal is not sent at all. The only difference
compared to (a) is I have added "!" to restrict Strongswan to accept the
So question 1 is, why config (b) fail?
For Q2, using the same example, remote peer only accept *3des-sha1-modp1024*
for phase 2, and local Strongswan using:
No matter (a) or (b), with or without "!", Strongswan never propose the
second 3des proposal to remote peer, the behavior is different compared to
"ike". Is this a bug?
Thanks again, I'm still trying different options and trying to read the
source code, hopefully will have some breakthrough.
2016-08-29 23:57 GMT+08:00 Tobias Brunner <tobias at strongswan.org>:
> Hi Steve,
> > Question 1) Can I define multiple proposals for 'ike' and adding '!' to
> > restrict Strongswan to accept the defined proposals only? Since the
> > initiator is not fixed, local Strongswan can be the responder or
> > initiator depends on different scenario.
> Yes, adding ! in ipsec.conf will restrict the proposals to the ones
> configured. That is, the default proposal, which basically includes all
> available algorithms, will _not_ be added. For swanctl.conf the default
> proposal is not added automatically (unless `ike` or `esp` is not set at
> all), that is, unless the keyword `default` is included explicitly in
> the proposal list setting any proposals is like adding a ! in ipsec.conf.
> For IKEv1 initiators the default proposal is very limited, though,
> because only the first algorithm of each type is sent in the SA payload.
> Which means that in the current release `aes128-sha256-modp3072` is
> added, which is already the default if nothing is configured in `ike` in
> ipsec.conf so in that case this proposal is apparently sent twice (since
> swanctl.conf defaults to `default` it will only be sent once there).
> However, as responder the default proposal is considered in its entirety
> if ! is not added (or `default` is specified in swanctl.conf), so as
> IKEv1 responder strongSwan might accept more algorithms than it proposes
> as initiator.
> > Question 2) Is it possible to define multiple proposals for 'esp', as
> > well as if I add the '!' flag?
> Should work exactly the same as with `ike`. If ! is not added (or
> `default` is contained in swanctl.conf) a default proposal will be added
> (out of which IKEv1 initiators will propose `aes128-sha256` in the
> current release and contains a few more algorithms as responder).
> Otherwise, the proposals are restricted to whatever is configured.
> > Thank you very much for your time, hope someone can give me direction on
> > how to solve this problem. 😀
> What problem is that exactly?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users