[strongSwan] IKE Connection on iOS 12 Only Able to Use DH Group 2 (modp1024)
brian.g.colby at gmail.com
brian.g.colby at gmail.com
Wed Dec 19 23:50:10 CET 2018
Hello,
I have an iOS configuration profile that is proposing make the Phase 1
connection with Diffie-Hellman Group 21 (ecp521).
I have opened the profile in an XML editor and confirmed that the settings
show DH Group 21:
<key>IKESecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>21</integer>
<key>EncryptionAlgorithm</key>
<string>AES-256</string>
<key>IntegrityAlgorithm</key>
<string>SHA2-256</string>
<key>LifeTimeInMinutes</key>
<integer>1440</integer>
</dict>
The same settings are reflected in my ipsec.conf file:
conn GPIT
keyexchange=ike
ike=aes256-sha256-ecp521!
esp=aes256-sha256-ecp521!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftsubnet=0.0.0.0/0
leftcert=vpn03generalpurposeitcom.pem
leftfirewall=yes
leftid=vpn03.generalpurposeit.com
leftauth=pubkey
leftsendcert=always
right=%any
rightid=%any
rightauth=eap-radius
rightsendcert=never
rightsourceip=172.16.10.1/24
auto=add
The log file shows the following:
Dec 19 13:41:15 vpn03 strongswan: 10[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Dec 19 13:41:15 vpn03 strongswan: 10[CFG] configured proposals:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
Dec 19 13:41:15 vpn03 strongswan: 10[IKE] received proposals unacceptable
Without changing the configuration profile, if I change my ipsec.conf file
to read "ike=aes256-sha256-modp1024!" it will connect.but since DH Group 2
is deprecated, I obviously cannot keep this long term. The Phase 2
connection works fine with the "esp=aes256-sha256-ecp521!" line in my
ipsec.conf file.
I have read in the strongSwan wiki a reference to a known bug in iOS in iOS
9+ which reads "For manual configurations, specify only DH group 2
(modp1024) in the ike configuration. Although the iOS client claims to
support modp1536, an unfixed bug prevents these connections from
succeeding."
(https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients) Is this
still the case? I opened up a bug fix with Apple regarding this, but I
haven't seen any response yet. Thank you.
R/s,
Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181219/e74dfcb0/attachment.html>
More information about the Users
mailing list