[strongSwan] Cipher Suite proposals changed in the course of 5.6.0 to 5.6.2

Andreas Steffen andreas.steffen at strongswan.org
Mon Mar 19 07:11:32 CET 2018


Hi Rolf,

the correct syntax is

  ike=aes256-sha1-modp1024

Regards

Andreas

On 19.03.2018 02:08, Dr. Rolf Jansen wrote:
> I tried already adding the following line to my ipsec.conf:
> 
>    ike = AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> 
> But as expected, this did not work because the syntax for specifying the ciphers is different from the syntax for the actually used proposals. I searched half the day for sort of a translation table or translation aid before I gave up and simply patched the sources.
> 
> That said, what would be the correct ike directive for getting charon simply to accept the above proposal?
> 
> Thank you ver much
> 
> Rolf Jansen
> 
> 
>> Am 18.03.2018 um 20:01 schrieb Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting>:
>>
>> Hello,
>>
>> I know that everything looks like a nail, if you only got a hammer, but you only needed to add a corresponding ike and/or esp line in ipsec.conf to configure the right ciphers for that particular IKE SA configuration. The ciphers were removed because they were insecure and now there's an RFC for that. Take a look at the UsableExamples page.
>>
>> Kind regards
>>
>> Noel
>>
>> On 18.03.2018 23:48, Dr. Rolf Jansen wrote:
>>> I am still using an iPhone 4 with iOS 7.1.2 which cannot be updated to a more recent iOS.
>>>
>>> When I am on travel, I use the builtin L2TP/IPsec client in order to connect to my FreeBSD home server providing the respective VPN service via net/mpd5 + security/strongswan (both of which are installed from the ports collection).
>>>
>>> After a recent update from strongSwan 5.6.0 to v5.6.2, my iPhone 4 cannot connect anymore. In the server's log I see:
>>>
>>> Mar 18 18:33:05 example charon: 15[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
>>> Mar 18 18:33:05 example charon: 15[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_3072, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
>>> Mar 18 18:33:05 example charon: 15[IKE] no proposal found
>>>
>>>
>>> I dug into the strongSwan sources, and I found, that some ciphers were disabled. As a hot fix I added on my FreeBSD server a patch file to /usr/ports/security/strongswan/files/patch-zz-add-classic-ciphers.local (s. attachment), then I executed make deinstall install clean. For the time being, this restored the iPhone 4 L2TP/IPsec connectivity.
>>>
>>> I know the iPhone 4 is almost 8 years old, however, mine looks like I bought it yesterday, and the battery is still in a perfect shape, and I don't want to buy a new one in the foreseeable future. Please may I ask to pick the best cipher from the above list which iOS 7.1.2 is aware of, and add it to the list of proposals which strongSwan wants to accept.
>>>
>>> Best regards
>>>
>>> Rolf Jansen
>>>
>>
> 

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2945 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180319/3df79413/attachment.bin>


More information about the Users mailing list