[strongSwan] upgrade from 4.5.2 to 5.2.1 breaks phase 2 authentication
CJ Fearnley
cjf at LinuxForce.net
Tue Jul 10 01:28:51 CEST 2018
I had a Strongswan 4.5.2 working great on Linux for several
years. Yesterday when I upgraded to 5.2.1 (Using Debian Jessie / 8.11),
too much changed.
I got the phase 1 authentication working again.
I've narrowed down the problems with phase two to the encryption
protocols.
What is needed to solve these two encryption algorithm mismatchs:
config setup
uniqueids=no
conn %default
mobike=no
keyexchange=ikev1
leftsubnet=192.168.100.0/24
left=XXX.YYY.ZZ.58
ikelifetime=8h
lifetime=8h
compress=no
leftsendcert=no
auto=add
conn aston
rightsubnet=192.168.11.0/24
right=ZZZ.WWW.3.210
authby=psk
Aston gives this error:
Jul 9 19:24:05 powerwall-34 charon: 04[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Jul 9 19:24:05 powerwall-34 charon: 04[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Jul 9 19:24:05 powerwall-34 charon: 04[IKE] no matching proposal found, sending NO_PROPOSAL_CHOSEN
Why is Strongswan not offering MODP_1024 for a 3des-sha1 proposal?
conn tonyhome
rightsubnet=192.168.10.0/24
right=%any
authby=psk
tonyhome gives this error:
Jul 9 19:22:57 powerwall-34 charon: 10[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ
Jul 9 19:22:57 powerwall-34 charon: 10[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Jul 9 19:22:57 powerwall-34 charon: 10[IKE] no matching proposal found, sending NO_PROPOSAL_CHOSEN
Also, I notice when charon starts up, it gives this informational message:
Jul 9 18:30:15 powerwall-34 charon: 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
Jul 9 18:30:15 powerwall-34 charon: 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
What might be wrong with the stock Debian strongswan packages that there
are unmet dependencies?
I should add that I'm running a 3.2.0 kernel. It is possible that by
upgrading to the Debian Jessie 3.16.0, more plugins and so more encryption
proposals might become available. I plan to run that experiment off
hours this evening. But I doubt that it will help.
I have already upgraded to Jessie's openssl which is version 1.0.1t hoping
that might help. I don't see any other packages that might help. I even
have libstrongswan-extra-plugins, but that doesn't seem to change the
number of proposals strongswan offers.
lfcjf at powerwall-34:~$ dpkg -l '*swan*'|grep ^ii
ii libstrongswan 5.2.1-6+deb8u6 amd64 strongSwan utility and crypto library
ii libstrongswan-extra-plugins 5.2.1-6+deb8u6 amd64 strongSwan utility and crypto library (extra plugins)
ii libstrongswan-standard-plugins 5.2.1-6+deb8u6 amd64 strongSwan utility and crypto library (standard plugins)
ii strongswan 5.2.1-6+deb8u6 all IPsec VPN solution metapackage
ii strongswan-charon 5.2.1-6+deb8u6 amd64 strongSwan Internet Key Exchange daemon
ii strongswan-libcharon 5.2.1-6+deb8u6 amd64 strongSwan charon library
ii strongswan-starter 5.2.1-6+deb8u6 amd64 strongSwan daemon starter and configuration file parser
--
CJ Fearnley | LinuxForce Inc.
cjf at LinuxForce.net | IT Projects & Systems Maintenance
http://www.LinuxForce.net | http://blog.remoteresponder.net
More information about the Users
mailing list