[strongSwan] upgrade from 4.5.2 to 5.2.1 breaks phase 2 authentication

CJ Fearnley cjf at LinuxForce.net
Tue Jul 10 01:28:51 CEST 2018


I had a Strongswan 4.5.2 working great on Linux for several
years. Yesterday when I upgraded to 5.2.1 (Using Debian Jessie / 8.11),
too much changed.

I got the phase 1 authentication working again.

I've narrowed down the problems with phase two to the encryption
protocols.

What is needed to solve these two encryption algorithm mismatchs:

config setup
    uniqueids=no

conn %default
    mobike=no
    keyexchange=ikev1
    leftsubnet=192.168.100.0/24
    left=XXX.YYY.ZZ.58
    ikelifetime=8h
    lifetime=8h
    compress=no
    leftsendcert=no
    auto=add

conn aston
    rightsubnet=192.168.11.0/24
    right=ZZZ.WWW.3.210
    authby=psk

Aston gives this error:

Jul  9 19:24:05 powerwall-34 charon: 04[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Jul  9 19:24:05 powerwall-34 charon: 04[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Jul  9 19:24:05 powerwall-34 charon: 04[IKE] no matching proposal found, sending NO_PROPOSAL_CHOSEN

Why is Strongswan not offering MODP_1024 for a 3des-sha1 proposal?

conn tonyhome
    rightsubnet=192.168.10.0/24
    right=%any
    authby=psk

tonyhome gives this error:

Jul  9 19:22:57 powerwall-34 charon: 10[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ
Jul  9 19:22:57 powerwall-34 charon: 10[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Jul  9 19:22:57 powerwall-34 charon: 10[IKE] no matching proposal found, sending NO_PROPOSAL_CHOSEN

Also, I notice when charon starts up, it gives this informational message:

Jul  9 18:30:15 powerwall-34 charon: 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
Jul  9 18:30:15 powerwall-34 charon: 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)

What might be wrong with the stock Debian strongswan packages that there
are unmet dependencies?

I should add that I'm running a 3.2.0 kernel. It is possible that by
upgrading to the Debian Jessie 3.16.0, more plugins and so more encryption
proposals might become available. I plan to run that experiment off
hours this evening. But I doubt that it will help.

I have already upgraded to Jessie's openssl which is version 1.0.1t hoping
that might help. I don't see any other packages that might help. I even
have  libstrongswan-extra-plugins, but that doesn't seem to change the
number of proposals strongswan offers.

lfcjf at powerwall-34:~$ dpkg -l '*swan*'|grep ^ii
ii  libstrongswan                  5.2.1-6+deb8u6 amd64        strongSwan utility and crypto library
ii  libstrongswan-extra-plugins    5.2.1-6+deb8u6 amd64        strongSwan utility and crypto library (extra plugins)
ii  libstrongswan-standard-plugins 5.2.1-6+deb8u6 amd64        strongSwan utility and crypto library (standard plugins)
ii  strongswan                     5.2.1-6+deb8u6 all          IPsec VPN solution metapackage
ii  strongswan-charon              5.2.1-6+deb8u6 amd64        strongSwan Internet Key Exchange daemon
ii  strongswan-libcharon           5.2.1-6+deb8u6 amd64        strongSwan charon library
ii  strongswan-starter             5.2.1-6+deb8u6 amd64        strongSwan daemon starter and configuration file parser

-- 
CJ Fearnley                 |   LinuxForce Inc.
cjf at LinuxForce.net          |   IT Projects & Systems Maintenance
http://www.LinuxForce.net   |   http://blog.remoteresponder.net


More information about the Users mailing list