[strongSwan] Cipher Suite proposals changed in the course of 5.6.0 to 5.6.2
Dr. Rolf Jansen
rj at obsigna.com
Sun Mar 18 23:48:45 CET 2018
I am still using an iPhone 4 with iOS 7.1.2 which cannot be updated to a more recent iOS.
When I am on travel, I use the builtin L2TP/IPsec client in order to connect to my FreeBSD home server providing the respective VPN service via net/mpd5 + security/strongswan (both of which are installed from the ports collection).
After a recent update from strongSwan 5.6.0 to v5.6.2, my iPhone 4 cannot connect anymore. In the server's log I see:
Mar 18 18:33:05 example charon: 15[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Mar 18 18:33:05 example charon: 15[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_3072, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Mar 18 18:33:05 example charon: 15[IKE] no proposal found
I dug into the strongSwan sources, and I found, that some ciphers were disabled. As a hot fix I added on my FreeBSD server a patch file to /usr/ports/security/strongswan/files/patch-zz-add-classic-ciphers.local (s. attachment), then I executed make deinstall install clean. For the time being, this restored the iPhone 4 L2TP/IPsec connectivity.
I know the iPhone 4 is almost 8 years old, however, mine looks like I bought it yesterday, and the battery is still in a perfect shape, and I don't want to buy a new one in the foreseeable future. Please may I ask to pick the best cipher from the above list which iOS 7.1.2 is aware of, and add it to the list of proposals which strongSwan wants to accept.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2614 bytes
Desc: not available
More information about the Users