[strongSwan] policy mismatch

Christian Salway ccsalway at yahoo.co.uk
Tue May 1 23:59:00 CEST 2018 

version: strongSwan 5.6.2
When I connect from Windows 10, strongSwan replies with a different policy than requested, causing a policy mismatch
```connections {   default {      version = 2      send_cert = always      encap = yes      pools = pool1      unique = replace      proposals = aes256gcm16-aes128gcm16-sha384-sha256-prfsha384-prfsha256-modp1024       local {         id = vpnserver         certs = vpnserver.crt      }      remote {         auth = eap-mschapv2         eap_id = %any      }
      children {         net {            local_ts = 10.0.0.0/20            inactivity = 1h         }      }   }}```
When Windows connects, strongSwan gives it the wrong policy and hence Windows 10 reports a policy match error

 
May  1 21:53:12 08[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024May  1 21:53:12 08[CFG] configured proposals: IKE:AES_GCM_16_256/AES_GCM_16_128/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_256/MODP_1024May  1 21:53:12 08[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_1024


Expected response (I'm guessing) AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 (although I dont know why it doesnt chose the better ciphers).


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180501/260ab689/attachment-0001.html>

More information about the Users mailing list