[strongSwan] Cipher Suite proposals changed in the course of 5.6.0 to 5.6.2

Dr. Rolf Jansen rj at obsigna.com
Sun Mar 18 23:48:45 CET 2018

I am still using an iPhone 4 with iOS 7.1.2 which cannot be updated to a more recent iOS.

When I am on travel, I use the builtin L2TP/IPsec client in order to connect to my FreeBSD home server providing the respective VPN service via net/mpd5 + security/strongswan (both of which are installed from the ports collection).

After a recent update from strongSwan 5.6.0 to v5.6.2, my iPhone 4 cannot connect anymore. In the server's log I see:

Mar 18 18:33:05 example charon: 15[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Mar 18 18:33:05 example charon: 15[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_3072, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Mar 18 18:33:05 example charon: 15[IKE] no proposal found

I dug into the strongSwan sources, and I found, that some ciphers were disabled. As a hot fix I added on my FreeBSD server a patch file to /usr/ports/security/strongswan/files/patch-zz-add-classic-ciphers.local (s. attachment), then I executed make deinstall install clean. For the time being, this restored the iPhone 4 L2TP/IPsec connectivity.

I know the iPhone 4 is almost 8 years old, however, mine looks like I bought it yesterday, and the battery is still in a perfect shape, and I don't want to buy a new one in the foreseeable future. Please may I ask to pick the best cipher from the above list which iOS 7.1.2 is aware of, and add it to the list of proposals which strongSwan wants to accept.

Best regards

Rolf Jansen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-zz-add-classic-ciphers.local
Type: application/octet-stream
Size: 2614 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180318/ab0f8f28/attachment.obj>

More information about the Users mailing list