[strongSwan] upgrade from 4.5.2 to 5.2.1 breaks phase 2 authentication

Tobias Brunner tobias at strongswan.org
Tue Jul 10 10:56:50 CEST 2018 

Hi,

> Jul  9 19:24:05 powerwall-34 charon: 04[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
> Jul  9 19:24:05 powerwall-34 charon: 04[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> Jul  9 19:24:05 powerwall-34 charon: 04[IKE] no matching proposal found, sending NO_PROPOSAL_CHOSEN
> 
> Why is Strongswan not offering MODP_1024 for a 3des-sha1 proposal?

Because as you can see, its default ESP proposals don't include any DH
groups.  Configure esp=3des-sha1-modp1024 to match the client's
proposal.  You can also read [1] for a description of IKEv1-related
differences between 4.x and 5.x releases.

> Jul  9 19:22:57 powerwall-34 charon: 10[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ
> Jul  9 19:22:57 powerwall-34 charon: 10[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> Jul  9 19:22:57 powerwall-34 charon: 10[IKE] no matching proposal found, sending NO_PROPOSAL_CHOSEN

Same thing as above, but with sha256 instead of sha1.

> Also, I notice when charon starts up, it gives this informational message:
> 
> Jul  9 18:30:15 powerwall-34 charon: 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
> Jul  9 18:30:15 powerwall-34 charon: 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
> 
> What might be wrong with the stock Debian strongswan packages that there
> are unmet dependencies?

Nothing really wrong here, these plugin features are, for instance,
related to DSA, which none of our crypto plugins supports (i.e. there
will always be plugin features that can't be loaded).  You see more
details if you increase the log level for lib to 2 or even 3, and the
plugin features (including those that were not loaded) are listed in the
output of `ipsec listplugins`.

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1

More information about the Users mailing list